Risk Level: High
Cloud Entity: AWS Certificate Manager
CloudGuard Rule ID: D9.AWS.CRY.60
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

AcmCertificate where (keyAlgorithm regexMatch /RSA/ and status like 'ISSUED' ) should have keyAlgorithm regexMatch /[1-9]\d{4}|[3-9]\d{3}|2([1-9]\d{2}|0([5-9]\d|4[89]))/

REMEDIATION

From Portal

Go to 'Certificate Manager'
Identify certificates with 'Public key info' below 'RSA-2048'
Update the relevant certificates to use at least 'RSA-2048' keys

From Command Line
To list all ACM certificates, run:

aws acm --region REGION list-certificates

To check an ACM certificate's key algorithm, run:

aws acm describe-certificate --region REGION --certificate-arn CERTIFICATE-ARN

References

AWS Certificate Manager

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.

Compliance Frameworks

AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS HITRUST v11.0.0
AWS ISO27001:2022
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 5
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset