AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
ACM Certificates Should Have Minimum RSA Length
More Info:
Ensure ACM certificate RSA length is mminimum of 2048
Risk Level
High
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the ACM certificate with minimum RSA length for AWS API Gateway using the AWS console, you can follow these steps:
-
Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/) and log in to your AWS account.
-
Navigate to ACM: In the AWS Management Console, search for “ACM” in the services search bar and click on “AWS Certificate Manager” to open the ACM dashboard.
-
Select the Certificate: In the ACM dashboard, locate and select the certificate that is associated with your API Gateway.
-
Check RSA Key Length: Check the RSA key length of the selected certificate. Ensure that the RSA key length meets the minimum requirement. The minimum RSA key length recommended is 2048 bits.
-
Update Certificate: If the RSA key length is less than 2048 bits, you will need to update the certificate with a new RSA key of at least 2048 bits.
-
Reissue Certificate: To update the RSA key length of the certificate, you will need to reissue the certificate with a new RSA key. Click on the “Actions” dropdown menu and select “Reissue certificate”.
-
Select RSA Key Length: In the reissue certificate wizard, select the RSA key length of at least 2048 bits.
-
Review and Confirm: Review the details of the reissued certificate and click on the “Reissue” button to confirm and reissue the certificate with the new RSA key length.
-
Update API Gateway: Once the certificate is reissued with the new RSA key length, you will need to update the API Gateway to use the newly reissued certificate.
-
Update API Gateway Integration: Go to the API Gateway console, select your API, and update the integration settings to use the newly reissued certificate.
By following these steps, you will be able to remediate the ACM certificate with minimum RSA length for AWS API Gateway using the AWS console.
To remediate the ACM certificate with minimum RSA length for AWS API Gateway using AWS CLI, follow these steps:
- List ACM Certificates: First, you need to list all the ACM certificates in your AWS account to identify the certificate that needs to be updated. Run the following AWS CLI command to list all ACM certificates:
aws acm list-certificates
-
Get Certificate ARN: Identify the ARN of the ACM certificate that is associated with your API Gateway. Note down the ARN as you will need it for the next steps.
-
Update Certificate: Run the following AWS CLI command to update the ACM certificate with the desired RSA key length (e.g., 2048 bits):
aws acm update-certificate --certificate-arn <CERTIFICATE_ARN> --key-spec RSA_2048
Replace <CERTIFICATE_ARN> with the ARN of the ACM certificate that you identified in step 2.
- Verify Update: To verify that the certificate has been updated successfully, you can describe the certificate using the following AWS CLI command:
aws acm describe-certificate --certificate-arn <CERTIFICATE_ARN>
Ensure that the KeyAlgorithm is now set to RSA_2048.
By following these steps, you can remediate the ACM certificate with the minimum RSA key length for AWS API Gateway using AWS CLI.
To remediate the misconfiguration of ACM Certificates not having the minimum RSA length in AWS API Gateway using Python, follow these steps:
-
Get a list of ACM certificates in use:
- Use the AWS SDK for Python (Boto3) to list all the ACM certificates in use in your AWS account.
- You can use the
list_certificates()method from theacmclient.
-
Check the RSA key length of each certificate:
- For each certificate, use the
describe_certificate()method to get detailed information about the certificate. - Check the RSA key length of the certificate. Ensure that it meets the minimum required length (e.g., 2048 bits).
- For each certificate, use the
-
Update certificates with insufficient RSA key length:
- For certificates that do not meet the minimum RSA key length requirement, you will need to request a new certificate with a sufficient key length.
- Use the
request_certificate()method to request a new certificate with the required RSA key length. - Make sure to update the API Gateway to use the new certificate once it is issued.
-
Update API Gateway to use the new certificate:
- Update the API Gateway configuration to use the newly issued certificate.
- You can use the
update_domain_name()method from theapigatewayclient to update the certificate for the custom domain name associated with your API Gateway.
-
Automate the remediation process:
- To ensure that all ACM certificates used by API Gateway meet the minimum RSA key length requirement, consider automating the above steps using Python scripts and AWS Lambda functions.
- You can schedule this automation to run periodically to check and update any newly issued certificates as well.
By following these steps and automating the process using Python scripts and AWS SDK, you can remediate the misconfiguration of ACM Certificates not having the minimum RSA length in AWS API Gateway.