Ensure ACM certificate is using a minimum of 2048-bit key for RSA certificate

It is recommended to use a minimum of 2048-bit key for RSA certificates, an update to the widely-accepted recommendation of a 1024-bit minimum.

Risk Level: High
Cloud Entity: AWS Certificate Manager
CloudGuard Rule ID: D9.AWS.CRY.60
Category: Security, Identity, & Compliance

GSL LOGIC

AcmCertificate where (keyAlgorithm regexMatch /RSA/ and status like 'ISSUED' ) should have keyAlgorithm regexMatch /[1-9]\d{4}|[3-9]\d{3}|2([1-9]\d{2}|0([5-9]\d|4[89]))/

REMEDIATION

From Portal

  1. Go to 'Certificate Manager'
  2. Identify certificates with 'Public key info' below 'RSA-2048'
  3. Update the relevant certificates to use at least 'RSA-2048' keys

From Command Line
To list all ACM certificates, run:

aws acm --region REGION list-certificates

To check an ACM certificate's key algorithm, run:

aws acm describe-certificate --region REGION --certificate-arn CERTIFICATE-ARN

References

  1. https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/list-certificates.html
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/describe-certificate.html

AWS Certificate Manager

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0