---
title: Certificate RSA key bytes lower than 256
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Certificate RSA key bytes lower than 256
---

# Certificate RSA key bytes lower than 256

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `terraform-aws-certificate-rsa-key-bytes-lower-than-256` 

**Provider:** AWS

**Platform:** Terraform

**Severity:** Medium

**Category:** Insecure Configurations

#### Learn More{% #learn-more %}

- [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api)

### Description{% #description %}

This check validates that SSL/TLS certificates used within infrastructure resources, such as API Gateway domain names, employ a sufficiently strong RSA key—specifically, one that is at least 2048 bits (256 bytes) in length. Using an RSA public key that is less than 2048 bits, such as with a 1024-bit certificate (`certificate_body = file("./rsa1024.pem")`), exposes the resource to cryptographic attacks, as shorter keys are more easily compromised by brute-force methods. Attackers that manage to break weak encryption can decrypt traffic, potentially leading to the exposure of sensitive data and unauthorized access to protected APIs and resources. To mitigate these risks, certificates should always be generated with a minimum of a 2048-bit key size (`certificate_body = file("./rsa4096.pem")`), ensuring robust protection for data in transit.

## Compliant Code Examples{% #compliant-code-examples %}

```terraform
resource "aws_api_gateway_domain_name" "example3" {
  certificate_body = file("./rsa4096.pem")
  domain_name     = "api.example.com"
}
```

```terraform
resource "aws_iam_server_certificate" "test_cert22" {
  name             = "some_test_cert"
  certificate_body = file("./rsa4096.pem")
  private_key      = <<EOF
-----BEGIN RSA PRIVATE KEY-----
[......] # cert contents
-----END RSA PRIVATE KEY-----
EOF
}
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```terraform
resource "aws_api_gateway_domain_name" "example" {
  certificate_body = file("./rsa1024.pem")
  domain_name     = "api.example.com"
}
```

```terraform
resource "aws_iam_server_certificate" "test_cert2" {
  name             = "some_test_cert"
  certificate_body = file("./rsa1024.pem")
  private_key      = <<EOF
-----BEGIN RSA PRIVATE KEY-----
[......] # cert contents
-----END RSA PRIVATE KEY-----
EOF
}
```