Ensure ACM certificate is using a minimum of 2048-bit key for RSA certificate
It is recommended to use a minimum of 2048-bit key for RSA certificates, an update to the widely-accepted recommendation of a 1024-bit minimum.
Risk Level: High
Cloud Entity: AWS Certificate Manager
CloudGuard Rule ID: D9.AWS.CRY.60
Category: Security, Identity, & Compliance
GSL LOGIC
AcmCertificate where (keyAlgorithm regexMatch /RSA/ and status like 'ISSUED' ) should have keyAlgorithm regexMatch /[1-9]\d{4}|[3-9]\d{3}|2([1-9]\d{2}|0([5-9]\d|4[89]))/
REMEDIATION
From Portal
- Go to 'Certificate Manager'
- Identify certificates with 'Public key info' below 'RSA-2048'
- Update the relevant certificates to use at least 'RSA-2048' keys
From Command Line
To list all ACM certificates, run:
aws acm --region REGION list-certificates
To check an ACM certificate's key algorithm, run:
aws acm describe-certificate --region REGION --certificate-arn CERTIFICATE-ARN
References
- https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/list-certificates.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/describe-certificate.html
AWS Certificate Manager
AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
Updated over 1 year ago