ACM Certificate Uses a Secure Key Algorithm
Overview
This check ensures that your AWS Certificate Manager (ACM) certificates use strong cryptographic key algorithms. Certificates using weak algorithms like RSA-1024 or ECDSA P-192 are flagged as insecure. Certificates must use RSA-2048 or stronger, or ECDSA P-256 or stronger to pass this check.
Risk
Weak certificate keys make your TLS connections vulnerable to attack. If an attacker can break the encryption:
- They can intercept and read encrypted traffic (man-in-the-middle attacks)
- They can decrypt recorded sessions
- They can impersonate your website or service (certificate spoofing)
This puts sensitive data at risk and undermines trust in your applications.
Remediation Steps
Prerequisites
- AWS Console access with permissions to manage ACM certificates
- Access to your domain's DNS records (for validation)
Required IAM permissions
You need the following permissions:
acm:RequestCertificateacm:DescribeCertificateacm:ListCertificatesacm:DeleteCertificate
If using DNS validation, you also need access to modify DNS records for your domain.
AWS Console Method
-
Open the AWS Certificate Manager console
-
Click Request a certificate
-
Select Request a public certificate and click Next
-
Enter your domain name (e.g.,
example.comor*.example.comfor wildcard) -
Under Key algorithm, select one of these secure options:
- ECDSA P 256 (recommended for modern compatibility)
- ECDSA P 384 (stronger, slightly less compatible)
- RSA 2048 (widely compatible)
-
For Validation method, select DNS validation (recommended)
-
Click Request
-
Complete DNS validation by adding the CNAME record shown to your domain's DNS
-
Once validated, update your services (ALB, CloudFront, API Gateway, etc.) to use the new certificate
-
After confirming the new certificate works, delete the old insecure certificate
AWS CLI
List existing certificates to identify weak ones:
aws acm list-certificates \
--region us-east-1 \
--query 'CertificateSummaryList[*].[CertificateArn,DomainName,KeyAlgorithm]' \
--output table
Request a new certificate with ECDSA P-256:
aws acm request-certificate \
--domain-name example.com \
--validation-method DNS \
--key-algorithm EC_prime256v1 \
--region us-east-1
Request a new certificate with RSA-2048:
aws acm request-certificate \
--domain-name example.com \
--validation-method DNS \
--key-algorithm RSA_2048 \
--region us-east-1
Get certificate details (including key algorithm):
aws acm describe-certificate \
--certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012 \
--region us-east-1 \
--query 'Certificate.[DomainName,KeyAlgorithm,Status]'
Delete the old insecure certificate (after replacing it):
aws acm delete-certificate \
--certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012 \
--region us-east-1
Valid key algorithm values for ACM:
RSA_2048(default)EC_prime256v1(ECDSA P-256)EC_secp384r1(ECDSA P-384)
Note: RSA-3072, RSA-4096, and EC_secp521r1 are only available for imported certificates, not certificates requested through ACM.
CloudFormation
AWSTemplateFormatVersion: '2010-09-09'
Description: ACM Certificate with secure key algorithm
Parameters:
DomainName:
Type: String
Description: The domain name for the certificate
Default: example.com
Resources:
SecureCertificate:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: !Ref DomainName
KeyAlgorithm: EC_prime256v1
ValidationMethod: DNS
Tags:
- Key: Name
Value: !Sub "${DomainName}-certificate"
Outputs:
CertificateArn:
Description: ARN of the issued certificate
Value: !Ref SecureCertificate
Export:
Name: !Sub "${AWS::StackName}-CertificateArn"
Deploy the stack:
aws cloudformation create-stack \
--stack-name secure-acm-certificate \
--template-body file://template.yaml \
--parameters ParameterKey=DomainName,ParameterValue=example.com \
--region us-east-1
Terraform
variable "domain_name" {
description = "The domain name for the certificate"
type = string
default = "example.com"
}
resource "aws_acm_certificate" "secure" {
domain_name = var.domain_name
validation_method = "DNS"
key_algorithm = "EC_prime256v1"
tags = {
Name = "${var.domain_name}-certificate"
}
lifecycle {
create_before_destroy = true
}
}
output "certificate_arn" {
description = "ARN of the issued certificate"
value = aws_acm_certificate.secure.arn
}
Apply the configuration:
terraform init
terraform plan
terraform apply
Verification
After requesting a new certificate:
- Return to the ACM console
- Click on your certificate
- Verify the Key algorithm shows RSA-2048, ECDSA P-256, or ECDSA P-384
CLI verification
aws acm describe-certificate \
--certificate-arn <your-certificate-arn> \
--region us-east-1 \
--query 'Certificate.KeyAlgorithm'
Expected output for a secure certificate:
RSA_2048EC_prime256v1EC_secp384r1
Run Prowler to confirm the fix:
prowler aws --checks acm_certificates_with_secure_key_algorithms
Additional Resources
- AWS ACM User Guide - Key Algorithms
- AWS ACM Best Practices
- NIST Guidelines on Cryptographic Key Lengths
Notes
-
ECDSA vs RSA: ECDSA P-256 provides equivalent security to RSA-3072 but with smaller key sizes, resulting in faster TLS handshakes. Prefer ECDSA unless you need compatibility with older systems.
-
Certificate replacement: You cannot change the key algorithm of an existing certificate. You must request a new certificate with the desired algorithm, update your services to use it, then delete the old one.
-
Service interruption: Plan certificate replacements during maintenance windows. Update all services using the certificate before deleting the old one.
-
Imported certificates: If you import certificates (rather than requesting them through ACM), you can use stronger algorithms like RSA-4096 or ECDSA P-521.
-
Compliance frameworks: This check maps to AWS Foundational Security Best Practices, C5, CCC, KISA-ISMS-P, NIS2, and PCI requirements.