Certificate RSA key bytes lower than 256

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Certificate RSA key bytes lower than 256

Metadata

Id: d5ec2080-340a-4259-b885-f833c4ea6a31

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Insecure Configurations

Learn More

Provider Reference

Description

Certificates must use sufficiently strong RSA keys to prevent cryptographic compromise. RSA keys smaller than 2048 bits can be factored with modern compute, enabling certificate impersonation and decryption of TLS traffic.

For Ansible tasks using the community.aws.acm_certificate module, ensure the certificate.rsa_key_bytes property is defined and set to at least 256 (bytes), which corresponds to 2048 bits. Resources missing this property or with rsa_key_bytes < 256 are flagged as insecure. Larger values (for example, rsa_key_bytes: 512 for 4096-bit keys) are acceptable.

Secure example:

- name: Request ACM certificate with 2048-bit RSA key
  community.aws.acm_certificate:
    name: example-cert
    certificate:
      rsa_key_bytes: 256
    state: present

Compliant Code Examples

- name: upload a self-signed certificate2
  community.aws.acm_certificate:
    certificate: "{{ lookup('file', 'rsa4096.pem' ) }}"
    privateKey: "{{ lookup('file', 'key.pem' ) }}"
    name_tag: my_cert
    region: ap-southeast-2

Non-Compliant Code Examples

- name: upload a self-signed certificate
  community.aws.acm_certificate:
    certificate: "{{ lookup('file', 'rsa1024.pem' ) }}"
    privateKey: "{{ lookup('file', 'key.pem' ) }}"
    name_tag: my_cert
    region: ap-southeast-2