AWS ACM certificate authority deleted
Description
AlphaSOC detected that an AWS Certificate Manager (ACM) private certificate
authority (CA) was deleted using the DeleteCertificateAuthority action. This
action removes the CA from ACM and may be used by threat actors to disrupt
communications, invalidate authentication mechanisms, and potentially cause
service downtime.
Impact
Deletion of a certificate authority can lead to significant disruptions in communications, potentially affecting multiple services and applications that rely on the deleted CA for TLS certificates.
Severity
| Severity | Condition |
|---|---|
Low | AWS ACM certificate authority deleted |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user or role that executed the
DeleteCertificateAuthority action and verify whether it was authorized. If
unauthorized, rotate any potentially compromised credentials and
restore the deleted CA
if possible.