Use the Conformity Knowledge Base AI to help improve your Cloud Posture

AWS IAM Server Certificate Size

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Very High (act immediately)
Rule ID: IAM-062

Ensure that all your SSL/TLS certificates, managed by AWS IAM, have a strong key length of 2048 or 4096 bit in order to adhere to security best practices and protect them from cryptographic algorithm hacking attacks using brute-force methods. Cloud Conformity highly recommends upgrading your 1024-bit server certificates to 2048-bit or 4096-bit RSA certificates which are using stronger encryption algorithms. For example, a 2048-bit key is much harder to crack than a 1024-bit key.
You can also use the Amazon Certificate Manager (ACM) service to provision server certificates that are using RSA-2048 encryption algorithms.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Due to the increasing computing power available nowadays to decrypt SSL/TLS certificates, any server certificate that is using 1024-bit keys can no longer be considered secure. Plus, all major web browsers dropped support for 1024-bit RSA certificates at the end of 2013. If your AWS IAM server certificates are still using 1024-bit keys, you should raise their bit length to 2048 or higher in order to increase its security level.

Note: The server certificates cannot be managed from the AWS IAM Management Console, therefore you must upload, retrieve or delete these certificates programmatically using the AWS API. This is one of the reasons why Amazon Certificate Manager (ACM) represents the best AWS tool to provision, manage and deploy your server certificates. With AWS ACM You can use a SSL/TLS certificate provided by the ACM service or one that you purchased from an external provider.


Audit

To determine if there are any server certificates that are using 1024-bit public keys, currently available within AWS IAM, perform the following:

Note: Getting the certificates information via AWS Management Console is not currently supported. To request information about the SSL/TLS certificates managed by AWS IAM use the Command Line Interface (CLI).

Using AWS CLI

01 Run list-server-certificates command (OSX/Linux/UNIX) to list the names of all IAM-managed server certificates:

aws iam list-server-certificates
	--query 'ServerCertificateMetadataList[*].ServerCertificateName'

02 The command output should return an array that contains the names of all the SSL/TLS certificates currently available within AWS IAM:

[
    "ELBv3SSLCertificate",
    "CloudConformityWebCert"
]

03 Run get-server-certificate command (OSX/Linux/UNIX) using the name of the certificate returned at the previous step as identifier and custom query filters to retrieve the public key of the selected SSL/TLS certificate:

aws iam get-server-certificate
	--server-certificate-name ELBv3SSLCertificate
	--query 'ServerCertificate.CertificateBody'

04 The command output should return the contents (certificate body) of the requested public key:

"-----BEGIN CERTIFICATE-----\Y37DL2lZxVD5 ... CU3Acb0MbDW9\n-----END CERTIFICATE-----"

05 Create a new file with the .pem extension, name it ssl-public-key.pem, and copy the certificate body (without the quotes) returned at the previous step to the newly created file:

echo "-----BEGIN CERTIFICATE-----\Y37DL2xlZ2FxVD5 ... CU3AcAwb0MYbDW9\n-----END CERTIFICATE-----" > ssl-public-key.pem

06 Run openssl command (Linux/UNIX) using the file created at the previous step as input parameter to reveal the length of the public key used by the selected SSL/TLS certificate:

openssl x509 -in ssl-public-key.pem -text -noout | grep "Public-Key"

07 The command output should return the requested key length:

Public-Key: (1024 bit)

If the Public-Key attribute value returned by the command output is 1024 bit (as shown in the example above), the public key length (in bits) used by the selected AWS IAM server certificate is 1024, therefore the SSL/TLS certificate is insecure, deprecated and prone to hacking or decryption.

08 Repeat steps no. 3 – 7 to check the key length for other SSL/TLS certificates managed by AWS IAM within your AWS account.

Remediation / Resolution

To replace any 1024-bit RSA SSL/TLS certificates currently available within AWS IAM, perform the following (note that the larger the key, the more resistant is to hacking or decryption):

Note: Managing SSL/TLS certificates stored within AWS IAM via AWS Management Console is not currently supported. To upload, deploy and delete server certificates, use the AWS API through the Command Line Interface (CLI).

Using AWS CLI

01 Run delete-server-certificate command (OSX/Linux/UNIX) using the name of the insecure and deprecated server certificate as identifier (see Audit section part I to identify the right certificate entity), to remove it from AWS IAM (the command does not produce an output):

aws iam delete-server-certificate
	--server-certificate-name ELBv3SSLCertificate




			

02 Once the selected SSL/TLS certificate has been upgraded to 2048-bit or 4096-bit by your SSL provider, run upload-server-certificate command (OSX/Linux/UNIX) to upload the new server certificate to AWS IAM. The new SSL/TLS certificate includes a strong public key with a length of 2048 or 4096 bit (the certificate body, e.g. SSLCertificate.pem file), a private key (e.g. SSLPrivateKey.pem), and an optional certificate chain (e.g SSLCertificateChain.pem), all PEM-encoded. Make sure you use the same name (e.g. ELBv3SSLCertificate) for your new and upgraded server certificate so you don’t have to update the reference to it:

aws iam upload-server-certificate
	--server-certificate-name ELBv3SSLCertificate
	--certificate-body file://SSLCertificate.pem
	--certificate-chain file://SSLCertificateChain.pem
	--private-key file://SSLPrivateKey.pem

03 The command output should return the new AWS IAM server certificate metadata:

{
    "ServerCertificateMetadata": {
        "ServerCertificateId": "CYWD4X2W8SDR5U5MLU",
        "ServerCertificateName": "ELBv3SSLCertificate",
        "Expiration": "2018-04-21T23:59:59Z",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:server-certificate/ELBv3SSLCertificate",
        "UploadDate": "2017-04-21T08:16:38.068Z"
    }
}

Cloud Conformity also recommends the Amazon Certificate Manager (ACM) service which can be used to provision, manage and deploy your new server certificates. With AWS ACM you can request a 2048-bit RSA certificate, deploy it to your AWS resources and let Amazon handle certificate renewals for you.

04 Repeat steps no. 1 – 3 to replace other insecure/deprecated SSL/TLS certificates managed by AWS IAM within your AWS account.

References

Publication date Jun 12, 2017