Ensure that all your SSL/TLS certificates, managed by AWS IAM, have a strong key length of 2048 or 4096 bit in order to adhere to security best practices and protect them from cryptographic algorithm hacking attacks using brute-force methods. Cloud Conformity highly recommends upgrading your 1024-bit server certificates to 2048-bit or 4096-bit RSA certificates which are using stronger encryption algorithms. For example, a 2048-bit key is much harder to crack than a 1024-bit key.
You can also use the Amazon Certificate Manager (ACM) service to provision server certificates that are using RSA-2048 encryption algorithms.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Due to the increasing computing power available nowadays to decrypt SSL/TLS certificates, any server certificate that is using 1024-bit keys can no longer be considered secure. Plus, all major web browsers dropped support for 1024-bit RSA certificates at the end of 2013. If your AWS IAM server certificates are still using 1024-bit keys, you should raise their bit length to 2048 or higher in order to increase its security level.
Note: The server certificates cannot be managed from the AWS IAM Management Console, therefore you must upload, retrieve or delete these certificates programmatically using the AWS API. This is one of the reasons why Amazon Certificate Manager (ACM) represents the best AWS tool to provision, manage and deploy your server certificates. With AWS ACM You can use a SSL/TLS certificate provided by the ACM service or one that you purchased from an external provider.
Audit
To determine if there are any server certificates that are using 1024-bit public keys, currently available within AWS IAM, perform the following:
Note: Getting the certificates information via AWS Management Console is not currently supported. To request information about the SSL/TLS certificates managed by AWS IAM use the Command Line Interface (CLI).Remediation / Resolution
To replace any 1024-bit RSA SSL/TLS certificates currently available within AWS IAM, perform the following (note that the larger the key, the more resistant is to hacking or decryption):
Note: Managing SSL/TLS certificates stored within AWS IAM via AWS Management Console is not currently supported. To upload, deploy and delete server certificates, use the AWS API through the Command Line Interface (CLI).References
- AWS Documentation
- AWS IAM FAQs
- Working with Server Certificates
- Working with Server Certificates
- What Is AWS Certificate Manager?
- ACM Certificate Characteristics
- AWS Command Line Interface (CLI) Documentation
- iam
- list-server-certificates
- get-server-certificate
- delete-server-certificate
- upload-server-certificate