More Info:

Ensure ACM certificate RSA length is mminimum of 2048

Risk Level

High

Address

Security

Compliance Standards

CBP

Triage and Remediation

Check Cause

Using Console

  1. Sign in to the AWS Management Console.
  2. Navigate to the API Gateway console. You can do this by typing “API Gateway” into the search bar and selecting it from the dropdown menu.
  3. Once in the API Gateway console, select the API you want to check.
  4. In the API’s settings, look for the ACM Certificate section. Here, you can see the RSA length of the certificate. If the RSA length is less than the minimum required length, then there is a misconfiguration.
  1. First, you need to list all the API Gateways in your AWS account. You can do this by using the following AWS CLI command: 
    aws apigateway get-rest-apis --region your-region
    Replace ‘your-region’ with the region you want to check. This command will return a list of all the API Gateways in the specified region.
  2. Next, for each API Gateway, you need to get the details of the associated ACM certificate. You can do this by using the following AWS CLI command: 
    aws apigateway get-domain-names --region your-region
    This command will return a list of all the domain names associated with each API Gateway. Each domain name will have an associated ACM certificate.
  3. Now, for each ACM certificate, you need to get the details of the certificate. You can do this by using the following AWS CLI command: 
    aws acm describe-certificate --certificate-arn your-certificate-arn --region your-region
    Replace ‘your-certificate-arn’ with the ARN of the certificate you want to check. This command will return the details of the specified certificate.
  4. Finally, you need to check the RSA length of the certificate. You can do this by looking at the ‘KeyAlgorithm’ field in the output of the previous command. If the ‘KeyAlgorithm’ field is ‘RSA_2048’, then the RSA length of the certificate is 2048 bits. If the ‘KeyAlgorithm’ field is ‘RSA_1024’, then the RSA length of the certificate is 1024 bits. If the RSA length is less than 2048 bits, then the certificate is misconfigured.
  1. Install the necessary Python libraries: Before you start, make sure you have the necessary Python libraries installed. You will need ‘boto3’ for AWS SDK for Python and ‘botocore’ for low-level, core functionality of AWS SDK for Python. You can install these libraries using pip: 
    pip install boto3 botocore
  2. Import the necessary libraries and initialize the AWS service: Import the necessary Python libraries and initialize the AWS service you want to use. In this case, we are using ‘boto3’ to interact with AWS API Gateway and ACM (AWS Certificate Manager). 
    import boto3

# Create a client for the AWS service.
apigateway = boto3.client('apigateway')
acm = boto3.client('acm')
  3. Get the list of API Gateways and their associated ACM Certificates: Use the ‘get_rest_apis’ function to get the list of API Gateways. Then, for each API Gateway, get the associated ACM Certificate using the ‘get_domain_name’ function. 
    # Get the list of API Gateways.
api_gateways = apigateway.get_rest_apis()['items']

for api_gateway in api_gateways:
    # Get the domain name associated with the API Gateway.
    domain_name = apigateway.get_domain_name(domainName=api_gateway['name'])
    
    # Get the ACM Certificate associated with the domain name.
    certificate_arn = domain_name['domainName']['certificateArn']
    certificate = acm.describe_certificate(CertificateArn=certificate_arn)
  4. Check the RSA length of the ACM Certificate: The RSA length of the ACM Certificate can be found in the ‘KeyAlgorithm’ field of the certificate description. If the RSA length is less than the minimum required length, print a warning message. 
    # Check the RSA length of the ACM Certificate.
if 'RSA' in certificate['Certificate']['KeyAlgorithm']:
    rsa_length = int(certificate['Certificate']['KeyAlgorithm'].split('_')[1])
    if rsa_length < 2048:
        print(f"Warning: The ACM Certificate for API Gateway {api_gateway['name']} has an RSA length of {rsa_length}, which is less than the minimum required length of 2048.")
This script will help you detect if any ACM Certificates associated with API Gateways have an RSA length less than the minimum required length.