Certificate RSA Key Bytes Lower Than 256

  • Query id: 874d68a3-bfbe-4a4b-aaa0-9e74d7da634b
  • Query name: Certificate RSA Key Bytes Lower Than 256
  • Platform: Terraform
  • Severity: Medium
  • Category: Insecure Configurations
  • URL: Github

Description

The certificate should use a RSA key with a length equal to or higher than 256 bytes
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_api_gateway_domain_name" "example" {
  certificate_body = file("./rsa1024.pem")
  domain_name     = "api.example.com"
}
Positive test num. 2 - tf file
resource "aws_iam_server_certificate" "test_cert2" {
  name             = "some_test_cert"
  certificate_body = file("./rsa1024.pem")
  private_key      = <<EOF
-----BEGIN RSA PRIVATE KEY-----
[......] # cert contents
-----END RSA PRIVATE KEY-----
EOF
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_api_gateway_domain_name" "example3" {
  certificate_body = file("./rsa4096.pem")
  domain_name     = "api.example.com"
}
Negative test num. 2 - tf file
resource "aws_iam_server_certificate" "test_cert22" {
  name             = "some_test_cert"
  certificate_body = file("./rsa4096.pem")
  private_key      = <<EOF
-----BEGIN RSA PRIVATE KEY-----
[......] # cert contents
-----END RSA PRIVATE KEY-----
EOF
}