- Ensure that all the SSL/TLS certificates stored within AWS IAM are not using the MD5/SHA-1 signature algorithm in order to adhere to AWS security best practices and protect from Collision attacks (i.e. cryptographic hash collisions). Cloud Conformity strongly recommends to upgrade your insecure server certificates to use signature algorithms with hash functions that are stronger than SHA-1/MD5, such as SHA-256, SHA-384 or SHA-512. For example, with the Amazon Certificate Manager (ACM) service you can provision server certificates using SHA-256 hashing algorithms.
Using server certificates (SSL/TLS certificates) with insecure and deprecated cryptographic hash functions such as MD5 or SHA-1, could make the connection between the client and the AWS resource that implements the certificates vulnerable to Collision attacks. A Collision attack utilizes the methodology that the hash generated by MD5 and SHA-1 functions is not unique and the same hash value can be generated for different contents of the certificate, therefore the encryption is not efficient. Note: The SSL/TLS certificates cannot be managed from the AWS IAM Management Console, therefore you must upload, retrieve, manage or delete these certificates programmatically using the AWS API. Because of this, Amazon Certificate Manager (ACM) represents the best AWS tool to provision, manage and deploy your server certificates. With AWS ACM You can use a SSL/TLS certificate provided by the ACM service or one that you purchased from an external provider.
To determine if there are any server certificates that are using MD5/SHA-1 signature algorithm, currently available within AWS IAM, perform the following:Note: Getting the certificates signature algorithm information via AWS Management Console is not currently supported. To request information about the SSL/TLS certificates managed by AWS IAM, use the Command Line Interface (CLI).
To replace any insecure/deprecated SSL/TLS certificates managed by AWS IAM service, perform the following:Note: Managing SSL/TLS certificates stored within AWS IAM via AWS Management Console is not currently supported. To upload, deploy and delete server certificates, use the AWS API through the Command Line Interface (CLI).