🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: RSA certificates managed by ACM should use a key length of at least 2,048 bits

Description

This control checks whether RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits. The control fails if the key length is smaller than 2,048 bits.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.acm_certificate_rsa_key_length_2048_bits_or_greater

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.acm_certificate_rsa_key_length_2048_bits_or_greater --share

SQL

This control uses a named query:

select
  certificate_arn as resource,
  case
    when not key_algorithm like 'RSA-%' then 'skip'
    when key_algorithm = 'RSA_1024' then 'alarm'
    else 'ok'
  end as status,
  case
    when not key_algorithm like 'RSA-%' then title || ' is not a RSA certificate.'
    when key_algorithm = 'RSA_1024' then title || ' is using 1024 bits key length.'
    else title || ' is using ' || split_part(key_algorithm, '-', 2) || ' bits key length.'
  end as reason
  
  , region, account_id
from
  aws_acm_certificate;

Tags

category = Compliance
plugin = aws
service = AWS/ACM