lacework-global-382
Rivest-Shamir-Adleman (RSA) certificates managed by AWS Certificate Manager (ACM) should use a key length of at least 2,048 bits (Automated)
Description
The strength of encryption directly correlates with key size. You should use RSA key lengths of at least 2048 bits to protect your AWS resources, as computing power becomes less expensive and servers become more advanced.
Remediation
Note: If creating certificates from the console, the minimum length of the key for RSA is 2048 bits, which satisfies this policy.
From the AWS Console:
- Log in to the AWS Management Console.
- Click Services.
- Select Security, Identity & Compliance > Certificate Manager.
- Click List certificates.
- Click the checkbox next to the name of each RSA certificate using a key length less than 20248 bits.
- Click Delete.
- Type delete in the pop up window, and click Delete.
From CLI:
aws acm delete-certificate --certificate-arn <certificate_arn>
If there are any AWS services associated with the certificate, you must remove those associations using the console or CLI for the relevant services.
References
https://docs.aws.amazon.com/securityhub/latest/userguide/acm-controls.html#acm-2
https://docs.aws.amazon.com/acm/latest/userguide/gs.html
https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html