ACM RSA certificates should use a key length of at least 2,048 bits
RSA keys shorter than 2,048 bits are cryptographically weak and can be factored with modern hardware in a practical timeframe. NIST deprecated 1,024-bit RSA in 2013, and compliance frameworks across financial services, healthcare, and government now treat 2,048 bits as the floor. Certificates with undersized keys expose TLS connections to downgrade and man-in-the-middle attacks.
Imported certificates are the primary risk vector. ACM-issued certificates default to 2,048-bit RSA, but aws_acm_certificate resources that import externally generated certificates inherit whatever key size the PEM material contains. A single weak certificate attached to an ALB or CloudFront distribution can undermine the encryption posture of your entire edge.
Retrofit consideration
Imported certificates with sub-2048-bit keys require regenerating the private key and re-issuing the certificate from the external CA before re-importing.
Implementation
Choose the approach that matches how you manage Terraform.
Use the compliance.tf module to enforce this control by default. See get started with compliance.tf.
module "acm" {
source = "nistcsf.compliance.tf/terraform-aws-modules/acm/aws"
version = ">=6.0.0,<7.0.0"
create_route53_records = false
domain_name = "abc123.pofix.click"
subject_alternative_names = []
validate_certificate = false
validation_method = "DNS"
wait_for_validation = false
zone_id = "Z1234567890ABC"
key_algorithm = "RSA_2048"
}
module "acm" {
source = "acscism2023.compliance.tf/terraform-aws-modules/acm/aws"
version = ">=6.0.0,<7.0.0"
create_route53_records = false
domain_name = "abc123.pofix.click"
subject_alternative_names = []
validate_certificate = false
validation_method = "DNS"
wait_for_validation = false
zone_id = "Z1234567890ABC"
key_algorithm = "RSA_2048"
}
If you use terraform-aws-modules/acm/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.
module "acm" {
source = "terraform-aws-modules/acm/aws"
version = ">=6.0.0,<7.0.0"
create_route53_records = false
domain_name = "abc123.pofix.click"
subject_alternative_names = []
validate_certificate = false
validation_method = "DNS"
wait_for_validation = false
zone_id = "Z1234567890ABC"
key_algorithm = "RSA_2048"
}
Use AWS provider resources directly. See docs for the resources involved: aws_acm_certificate.
resource "aws_acm_certificate" "this" {
domain_name = "abc123.pofix.click"
validation_method = "DNS"
key_algorithm = "RSA_2048"
}
What this control checks
For ACM-issued certificates using aws_acm_certificate, set key_algorithm to RSA_2048, RSA_3072, or RSA_4096. Omitting key_algorithm defaults to RSA_2048, which passes. Values like EC_prime256v1, EC_secp384r1, or EC_secp521r1 use elliptic curve keys and are not evaluated by this RSA-specific control.
For imported certificates, certificate_body, private_key, and optionally certificate_chain are provided instead of key_algorithm. The key_algorithm argument is not used during import; the control inspects the certificate's public key metadata in ACM after import. Any imported RSA certificate with a key shorter than 2,048 bits will fail. No Terraform argument can override this; the source key material itself must be 2,048 bits or larger.
Common pitfalls
Imported certificates bypass Terraform argument checks
Terraform won't validate RSA key length at plan time for imported certificates. When
certificate_bodyandprivate_keyare provided, a 1,024-bit key is accepted without error and only flagged by the compliance check after deployment. Validate key length before import:openssl rsa -in key.pem -text -noout | grep 'Private-Key'.Default key_algorithm already passes but may not be explicit
Explicitly set
key_algorithm = "RSA_2048"(or higher) even though the default already passes. Leaving it implicit means a future provider change or module override could alter behavior silently, and the omission is harder to catch in code review.Renewed certificates inherit the original key algorithm
ACM-issued certificates that auto-renew keep the same key algorithm. If an old certificate was provisioned with a weak key before guardrails were in place, renewal won't upgrade the key size. Request a new certificate with the correct
key_algorithmand update any resource references.Elliptic curve certificates are out of scope
This control only evaluates RSA certificates. Setting
key_algorithmtoEC_prime256v1or another EC variant puts the certificate outside scope, so it won't appear non-compliant here. If you use ECDSA certificates, a separate control covering EC key strength is needed.
Audit evidence
AWS Config rule evaluation results for acm-certificate-rsa-2048 should show all ACM certificates compliant. Supporting evidence includes the output of aws acm describe-certificate --certificate-arn <arn> showing KeyAlgorithm as RSA_2048 or higher for every RSA certificate. A console screenshot of the ACM certificate list filtered to show key type and length provides quick visual confirmation.
For continuous assurance, a Security Hub findings export filtered to this control with zero active failures is periodic proof. If imported certificates exist, auditors may also request the certificate generation procedure or CA issuance policy confirming a minimum 2,048-bit RSA requirement.
Framework-specific interpretation
NIST Cybersecurity Framework v2.0: PR.DS covers cryptographic protection of data in transit, and NIST SP 800-57 Part 1 sets 2,048-bit RSA as the minimum for security through 2030 and beyond. This control validates that TLS certificate key material meets that threshold.
Related controls
Tool mappings
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf Control:
acm_certificate_rsa_key_length_2048_bits_or_greaterAWS Config Managed Rule:
ACM_CERTIFICATE_RSA_CHECKPowerpipe Control:
aws_compliance.control.acm_certificate_rsa_key_length_2048_bits_or_greaterProwler Check:
acm_certificates_with_secure_key_algorithmsAWS Security Hub Control:
ACM.2
Last reviewed: 2026-03-09