ACM certificate uses a secure key algorithm
acm_certificates_with_secure_key_algorithms
ACM certificates are evaluated for the public key algorithm and size, identifying those that use weak parameters such as RSA-1024 or ECDSA P-192. Certificates using RSA-2048+ or ECDSA P-256+ meet the secure baseline.
Risk
Weak certificate keys reduce TLS confidentiality and authenticity.
Feasible factoring or discrete log attacks can reveal private keys, enabling man-in-the-middle, session decryption, and certificate spoofing, leading to data exposure and tampering.
prowler aws --checks acm_certificates_with_secure_key_algorithms
Recommendation
Use strong algorithms: RSA-2048+ or ECDSA P-256/P-384. Replace weak or legacy certificates and prevent their use via policy.
Prefer ECDSA where compatible, apply least privilege to private keys, enforce modern TLS policies, and automate renewal to maintain cryptographic strength.
Remediation
- In the AWS Console, go to Certificate Manager (ACM)
- Click Request a certificate and enter <example_domain>
- Under Key algorithm, select ECDSA P-256 (or RSA 2048)
- Complete validation (DNS is recommended)
- In the service using the certificate (e.g., ALB/CloudFront/API Gateway), replace the old certificate with the new one
- Delete the insecure certificate (e.g., RSA-1024 or P-192) once no longer in use.
Source Code
Resource Type
AwsCertificateManagerCertificate