π‘οΈ AWS ACM RSA Certificate key length is less than 2048 bitsπ’
- Contextual name: π‘οΈ RSA Certificate key length is less than 2048 bitsπ’
- ID:
/ce/ca/aws/acm/rsa-certificate-key-length-less-than-2048-bits - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- Internal:
dec-x-4de1c44e
Similar Internal Rulesβ
| Rule | Policies | Flags |
|---|---|---|
| βοΈ dec-x-4de1c44e | 1 |
Descriptionβ
Descriptionβ
All RSA certificates managed by AWS Certificate Manager (ACM) must have a key length of at least 2048 bits. This includes certificates imported into ACM by users. Ensuring the use of 2048-bit keys enhances the security of the certificates, aligning with modern cryptographic standards and reducing vulnerabilities to brute-force attacks.
Rationaleβ
The use of RSA keys with a minimum length of 2048 bits provides stronger encryption, improving the security posture of applications and services relying on ACM-managed certificates. Shorter keys are more susceptible to cryptographic attacks, which could compromise sensitive data.
Impactβ
May require updates to legacy systems or certificates.
Auditβ
This policy will mark a certificate as
INCOMPLIANTif theKey Algorithmis RSA-1024 and theStatusfield is set to Issued.If the
Statusfield is not Issued, the certificate will be marked asINAPPLICABLE.
Remediationβ
Remediationβ
It is not possible to change the key length of a certificate after it has been imported. Instead, delete certificates with a key length smaller than 2,048 bits.
Note: You cannot delete an ACM certificate that is in use by another AWS service. To delete such a certificate, you must first remove its association with the service.
From Command Lineβ
Use the
delete-certificatecommand to remove a certificate:aws acm delete-certificate --certificate-arn {{certificate-arn}}
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits | 1 | 1 | no data | ||
| πΌ Cloudaware Framework β πΌ Cryptographic Configuration | 8 | no data | |||
| πΌ PCI DSS v3.2.1 β πΌ 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks. | 1 | 8 | 21 | no data | |
| πΌ PCI DSS v4.0.1 β πΌ 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks. | 2 | 21 | no data | ||
| πΌ PCI DSS v4.0 β πΌ 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks. | 2 | 9 | 21 | no data |