π‘οΈ AWS ACM RSA Certificate key length is less than 2048 bitsπ’
- Contextual name: π‘οΈ RSA Certificate key length is less than 2048 bitsπ’
- ID:
/ce/ca/aws/acm/rsa-certificate-key-length-less-than-2048-bits - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- Internal:
dec-x-4de1c44e
Similar Internal Rulesβ
| Rule | Policies | Flags |
|---|---|---|
| βοΈ dec-x-4de1c44e | 1 |
Descriptionβ
Descriptionβ
All RSA certificates managed by AWS Certificate Manager (ACM) must have a key length of at least 2048 bits. This includes certificates imported into ACM by users. Ensuring the use of 2048-bit keys enhances certificate security, aligns with modern cryptographic standards, and reduces vulnerabilities to brute-force attacks.
Rationaleβ
The use of RSA keys with a minimum length of 2048 bits provides stronger encryption, improving the security posture of applications and services relying on ACM-managed certificates. Shorter keys are more susceptible to cryptographic attacks, which could compromise sensitive data.
Impactβ
May require updates to legacy systems or certificates.
Auditβ
This policy flags an AWS ACM Certificate as
INCOMPLIANTif theKey Algorithmis RSA-1024 and theStatusfield is set to Issued.If the
Statusfield is not Issued, the certificate will be marked asINAPPLICABLE.
Remediationβ
Remediationβ
It is not possible to change the key length of a certificate after it has been imported. Instead, delete certificates with a key length smaller than 2,048 bits.
Note: You cannot delete an ACM certificate that is in use by another AWS service. To delete such a certificate, you must first remove its association with the service.
From Command Lineβ
Use the
delete-certificatecommand to remove a certificate:aws acm delete-certificate --certificate-arn {{certificate-arn}}
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits | 1 | 1 | no data | ||
| πΌ Cloudaware Framework β πΌ Cryptographic Configuration | 9 | no data | |||
| πΌ PCI DSS v3.2.1 β πΌ 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks. | 1 | 8 | 28 | no data | |
| πΌ PCI DSS v4.0.1 β πΌ 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks. | 2 | 28 | no data | ||
| πΌ PCI DSS v4.0 β πΌ 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks. | 2 | 9 | 28 | no data |