ACM Certificates Should Have Minimum RSA Length

More Info:

Ensure ACM certificate RSA length is mminimum of 2048

Risk Level

High

Address

Security

Compliance Standards

CBP

Triage and Remediation

Check Cause

Using Console

Using CLI

First, you need to list all the API Gateways in your AWS account. You can do this by using the following AWS CLI command:
```
aws apigateway get-rest-apis --region your-region
```
Replace ‘your-region’ with the region you want to check. This command will return a list of all the API Gateways in the specified region.
Next, for each API Gateway, you need to get the details of the associated ACM certificate. You can do this by using the following AWS CLI command:
```
aws apigateway get-domain-names --region your-region
```
This command will return a list of all the domain names associated with each API Gateway. Each domain name will have an associated ACM certificate.
Now, for each ACM certificate, you need to get the details of the certificate. You can do this by using the following AWS CLI command:
```
aws acm describe-certificate --certificate-arn your-certificate-arn --region your-region
```
Replace ‘your-certificate-arn’ with the ARN of the certificate you want to check. This command will return the details of the specified certificate.
Finally, you need to check the RSA length of the certificate. You can do this by looking at the ‘KeyAlgorithm’ field in the output of the previous command. If the ‘KeyAlgorithm’ field is ‘RSA_2048’, then the RSA length of the certificate is 2048 bits. If the ‘KeyAlgorithm’ field is ‘RSA_1024’, then the RSA length of the certificate is 1024 bits. If the RSA length is less than 2048 bits, then the certificate is misconfigured.

Using Python

Install the necessary Python libraries: Before you start, make sure you have the necessary Python libraries installed. You will need ‘boto3’ for AWS SDK for Python and ‘botocore’ for low-level, core functionality of AWS SDK for Python. You can install these libraries using pip:
```
pip install boto3 botocore
```
Import the necessary libraries and initialize the AWS service: Import the necessary Python libraries and initialize the AWS service you want to use. In this case, we are using ‘boto3’ to interact with AWS API Gateway and ACM (AWS Certificate Manager).
```
import boto3

# Create a client for the AWS service.
apigateway = boto3.client('apigateway')
acm = boto3.client('acm')
```

Get the list of API Gateways and their associated ACM Certificates: Use the ‘get_rest_apis’ function to get the list of API Gateways. Then, for each API Gateway, get the associated ACM Certificate using the ‘get_domain_name’ function.

# Get the list of API Gateways.
api_gateways = apigateway.get_rest_apis()['items']

for api_gateway in api_gateways:
    # Get the domain name associated with the API Gateway.
    domain_name = apigateway.get_domain_name(domainName=api_gateway['name'])
    
    # Get the ACM Certificate associated with the domain name.
    certificate_arn = domain_name['domainName']['certificateArn']
    certificate = acm.describe_certificate(CertificateArn=certificate_arn)

Check the RSA length of the ACM Certificate: The RSA length of the ACM Certificate can be found in the ‘KeyAlgorithm’ field of the certificate description. If the RSA length is less than the minimum required length, print a warning message.

# Check the RSA length of the ACM Certificate.
if 'RSA' in certificate['Certificate']['KeyAlgorithm']:
    rsa_length = int(certificate['Certificate']['KeyAlgorithm'].split('_')[1])
    if rsa_length < 2048:
        print(f"Warning: The ACM Certificate for API Gateway {api_gateway['name']} has an RSA length of {rsa_length}, which is less than the minimum required length of 2048.")

This script will help you detect if any ACM Certificates associated with API Gateways have an RSA length less than the minimum required length.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

ACM Certificates Should Have Minimum RSA Length

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Check Cause

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Check Cause

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Check Cause