Profile Applicability:

  • Level 1

Description:

AWS Certificate Manager (ACM) is a service that helps you provision, manage, and deploy SSL/TLS certificates for use with AWS services and your internal resources. SSL/TLS certificates are essential for securing communications between clients and servers, ensuring data confidentiality and integrity. A secure key algorithm ensures that the certificate uses encryption that is strong enough to protect sensitive information.

The key algorithm used by the certificate determines the strength of the encryption and its resistance to attacks. As cryptographic attacks evolve, it is crucial to ensure that certificates use modern, secure key algorithms like RSA 2048 bits or higher, or Elliptic Curve (ECDSA), instead of outdated algorithms such as RSA 1024 bits.

This SOP ensures that ACM certificates are configured with secure key algorithms to maintain the security of data in transit and protect against potential vulnerabilities.

Rationale:

Ensuring that ACM certificates use secure key algorithms is critical for:

  • Data Protection: Ensures that data transmitted over the network is encrypted with strong cryptographic methods.

  • Compliance: Meets industry standards and regulatory requirements for encryption strength (e.g., PCI-DSS, SOC 2, ISO 27001).

  • Security: Prevents attackers from exploiting weak encryption methods to intercept or tamper with sensitive data.

  • Future-Proofing: Ensures the certificates are resistant to advances in cryptographic attacks as computing power increases.

Impact:

Pros:

  • Improved Security: Using modern, secure key algorithms ensures that communications are encrypted at a high level, protecting sensitive data.

  • Compliance: Helps meet security requirements and standards set by regulatory bodies.

  • Resilience: Protects your infrastructure from potential vulnerabilities associated with outdated algorithms.

Cons:

  • Compatibility Issues: Some older clients or systems may not support newer, stronger key algorithms.

  • Initial Configuration Effort: Ensuring that all certificates are updated to use secure key algorithms may require time and testing.

Default Value:

By default, ACM certificates use RSA 2048-bit keys, which are considered secure. However, older certificates or misconfigured certificates might use insecure key algorithms such as RSA 1024-bit or outdated ciphers.

Pre-requisite:

  • AWS IAM Permissions:

    • acm:ListCertificates

    • acm:DescribeCertificate

    • acm:UpdateCertificateOptions

  • AWS CLI installed and configured.

  • Basic knowledge of SSL/TLS certificates and key algorithms.

  • Familiarity with ACM and its usage in your environment.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Certificate Manager under Services.

  3. In the ACM Dashboard, go to Certificates.

  4. Select each certificate you wish to inspect.

  5. Review the certificate details to confirm the key algorithm:

    • Ensure that the key algorithm is either RSA 2048-bit or higher or Elliptic Curve (ECDSA).

  6. Check for any certificates that use RSA 1024-bit or other weak algorithms and plan for renewal with stronger algorithms.

Using AWS CLI:

To list all certificates and their key algorithms, run:

aws acm list-certificates --query 'CertificateSummaryList[*].{CertificateArn:CertificateArn, KeyAlgorithm:KeyAlgorithm}'

To check the key algorithm of a specific certificate, run:

aws acm describe-certificate --certificate-arn <certificate-arn>

In the output, check the KeyAlgorithm field to confirm that it is set to RSA 2048-bit or Elliptic Curve (ECDSA).

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to ACM.

  2. In the ACM Dashboard, go to Certificates.

  3. Review the key algorithms of each certificate listed:

    • RSA 2048-bit or higher or Elliptic Curve (ECDSA) are secure.

  4. If any certificates use RSA 1024-bit or other insecure algorithms, request certificate renewal or reissue with a stronger key algorithm (e.g., RSA 2048-bit or Elliptic Curve (ECDSA)).

Using AWS CLI:

To check the key algorithm of a certificate, run:

aws acm describe-certificate --certificate-arn <certificate-arn>

If the certificate uses a weak algorithm such as RSA 1024-bit, request a renewal with a stronger algorithm:

aws acm request-certificate --domain-name <domain-name> --key-algorithm RSA_2048

After renewing, associate the new certificate with the relevant resources (e.g., Elastic Load Balancer, CloudFront).

Backout Plan:

If enabling or updating the key algorithm causes issues (e.g., compatibility problems with older clients):

Identify the affected certificate and resources.

If needed, revert to the previous certificate with the original key algorithm by associating the old certificate again:

aws acm associate-certificate --certificate-arn <old-certificate-arn> --resource <resource>

Verify that the systems using the new certificate support the updated key algorithm (e.g., RSA 2048-bit or ECDSA).

Note:

  • Compatibility Check: Before renewing certificates with RSA 2048-bit or ECDSA, ensure that the systems and clients accessing your services support these algorithms. Older browsers or operating systems may not support Elliptic Curve (ECDSA).

  • Automated Monitoring: Set up CloudWatch or other monitoring tools to alert you if any certificates with weak key algorithms are detected in your environment.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.