AWS Private CA root certificate authority should be disabled

Description

AWS Private CA root certificate authority should be disabled. Root CAs are the trust anchor for your PKI hierarchy and should be kept offline (disabled) when not actively signing subordinate CA certificates to minimize the risk of compromise.

Remediation

Disable your root certificate authority.

From the console

  1. Open the AWS Private CA console.
  2. Select your root CA.
  3. Choose Actions > Disable.
  4. Confirm the action.

From the command line

aws acm-pca update-certificate-authority \
    --certificate-authority-arn <root-ca-arn> \
    --status DISABLED