v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 2 RSA certificates managed by ACM should use a key length of at least 2,048 bits

Description

This control checks whether RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits. The control fails if the key length is smaller than 2,048 bits.

The strength of encryption directly correlates with key size. We recommend key lengths of at least 2,048 bits to protect your AWS resources as computing power becomes less expensive and servers become more advanced.

Remediation

The minimum key length for RSA certificates issued by ACM is already 2,048 bits. For instructions on issuing new RSA certificates with ACM, see Issuing and managing certificates in the AWS Certificate Manager User Guide.

While ACM allows you to import certificates with shorter key lengths, you must use keys of at least 2,048 bits to pass this control. You can't change the key length after importing a certificate. Instead, you must delete certificates with a key length smaller than 2,048 bits. For more information about importing certificates into ACM, see Prerequisites for importing certificates in the AWS Certificate Manager User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_acm_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_acm_2 --share

SQL

This control uses a named query:

acm_certificate_rsa_key_length_2048_bits_or_greater

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = inventory_services
foundational_security_item_id = acm_2
plugin = aws
service = AWS/ACM