π AWS ACM RSA Certificate key length is less than 2048 bits π’
- Contextual name: π RSA Certificate key length is less than 2048 bits π’
- ID:
/ce/ca/aws/acm/rsa-certificate-key-length-less-than-2048-bits - Located in: π AWS ACM
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Similar Policiesβ
- Internal
dec-x-4de1c44e
Similar Internal Rulesβ
| Rule | Policies | Flags |
|---|---|---|
| βοΈ dec-x-4de1c44e | 1 |
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
All RSA certificates managed by AWS Certificate Manager (ACM) must have a key length of at least 2048 bits. This includes certificates imported into ACM by users. Ensuring the use of 2048-bit keys enhances the security of the certificates, aligning with modern cryptographic standards and reducing vulnerabilities to brute-force attacks.
Rationaleβ
The use of RSA keys with a minimum length of 2048 bits provides stronger encryption, improving the security posture of applications and services relying on ACM-managed certificates. Shorter keys are more susceptible to cryptographic attacks, which could compromise sensitive data.
Impactβ
May require updates to legacy systems or certificates.
Auditβ
This policy will mark a certificate as
INCOMPLIANTif theKey Algorithmis RSA-1024 and theStatusfield is set to Issued.If the
Statusfield is not Issued, the certificate will be marked asINAPPLICABLE.
Remediationβ
Remediationβ
It is not possible to change the key length of a certificate after it has been imported. Instead, delete certificates with a key length smaller than 2,048 bits.
Note: You cannot delete an ACM certificate that is in use by another AWS service. To delete such a certificate, you must first remove its association with the service.
From Command Lineβ
Use the
delete-certificatecommand to remove a certificate:aws acm delete-certificate --certificate-arn {{certificate-arn}}