lacework-global-382

Rivest-Shamir-Adleman (RSA) certificates managed by AWS Certificate Manager (ACM) should use a key length of at least 2,048 bits (Automated)

Description

The strength of encryption directly correlates with key size. You should use RSA key lengths of at least 2048 bits to protect your AWS resources, as computing power becomes less expensive and servers become more advanced.

Remediation

Note: If creating certificates from the console, the minimum length of the key for RSA is 2048 bits, which satisfies this policy.

From the AWS Console:

1. Log in to the AWS Management Console.
2. Click Services.
3. Select Security, Identity & Compliance > Certificate Manager.
4. Click List certificates.
5. Click the checkbox next to the name of each RSA certificate using a key length less than 20248 bits.
6. Click Delete.
7. Type delete in the pop up window, and click Delete.

From CLI:

aws acm delete-certificate --certificate-arn <certificate_arn>

note

If there are any AWS services associated with the certificate, you must remove those associations using the console or CLI for the relevant services.

References

https://docs.aws.amazon.com/securityhub/latest/userguide/acm-controls.html#acm-2
https://docs.aws.amazon.com/acm/latest/userguide/gs.html
https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html