Control: 2 RSA certificates managed by ACM should use a key length of at least 2,048 bits
Description
This control checks whether RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits. The control fails if the key length is smaller than 2,048 bits.
The strength of encryption directly correlates with key size. We recommend key lengths of at least 2,048 bits to protect your AWS resources as computing power becomes less expensive and servers become more advanced.
Remediation
The minimum key length for RSA certificates issued by ACM is already 2,048 bits. For instructions on issuing new RSA certificates with ACM, see Issuing and managing certificates in the AWS Certificate Manager User Guide.
While ACM allows you to import certificates with shorter key lengths, you must use keys of at least 2,048 bits to pass this control. You can't change the key length after importing a certificate. Instead, you must delete certificates with a key length smaller than 2,048 bits. For more information about importing certificates into ACM, see Prerequisites for importing certificates in the AWS Certificate Manager User Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_acm_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_acm_2 --shareSQL
This control uses a named query:
select certificate_arn as resource, case when not key_algorithm like 'RSA-%' then 'skip' when key_algorithm = 'RSA_1024' then 'alarm' else 'ok' end as status, case when not key_algorithm like 'RSA-%' then title || ' is not a RSA certificate.' when key_algorithm = 'RSA_1024' then title || ' is using 1024 bits key length.' else title || ' is using ' || split_part(key_algorithm, '-', 2) || ' bits key length.' end as reason , region, account_idfrom aws_acm_certificate;