Run acm list-certificates across regions and capture KeyAlgorithm and Type; anything below RSA-2048 is in scope. Issue or import a strong replacement — request-certificate --key-algorithm RSA_2048 (or stronger) for DNS-validatable domains, or generate a new key pair and re-import. Read InUseBy from describe-certificate to enumerate every dependent ALB/NLB listener, CloudFront distribution, and API Gateway domain, and cut each over to the new ARN. Delete the old certificate only after consumers move, and keep the AWS Config rule acm-certificate-rsa-check enabled to catch a future weak import.

Compliance High severity

AWS Security Hub · ACM

ACM.2: An ACM RSA certificate uses a key shorter than 2048 bits

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub ACM.2 check?

ACM.2 fails any RSA certificate managed by ACM whose key is shorter than 2,048 bits — typically a legacy 1,024-bit key imported years ago. ACM-issued certs are minimum RSA-2048 by construction, so essentially every failure is an IMPORTED certificate.

Why does ACM.2 matter?

1,024-bit RSA is no longer safe — NIST deprecated it for new use after 2013, and the cost of factoring keys that size keeps falling. A certificate is supposed to be the thing browsers and customers trust; a weak key quietly undermines that trust on every connection it terminates. Unlike most findings, you cannot remediate it in place — the key length is bound into the signed certificate body.

How do I fix ACM.2?

Run acm list-certificates across regions and capture KeyAlgorithm and Type; anything below RSA-2048 is in scope.
Issue or import a strong replacement — request-certificate --key-algorithm RSA_2048 (or stronger) for DNS-validatable domains, or generate a new key pair and re-import.
Read InUseBy from describe-certificate to enumerate every dependent ALB/NLB listener, CloudFront distribution, and API Gateway domain, and cut each over to the new ARN.
Delete the old certificate only after consumers move, and keep the AWS Config rule acm-certificate-rsa-check enabled to catch a future weak import.

Remediation script · bash

# Alarm on DaysToExpiry per certificate so a stalled renewal pages someone, not the root inbox.
aws cloudwatch put-metric-alarm \
  --alarm-name acm-imported-api-example-com-expiry \
  --namespace AWS/CertificateManager \
  --metric-name DaysToExpiry \
  --dimensions Name=CertificateArn,Value=arn:aws:acm:us-east-1:123456789012:certificate/9f3a2b14 \
  --statistic Minimum --period 86400 --evaluation-periods 1 \
  --threshold 45 --comparison-operator LessThanOrEqualToThreshold \
  --alarm-actions arn:aws:sns:us-east-1:123456789012:pagerduty-platform

# Clear expired leftovers from the IAM store after confirming nothing references them.
NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
for name in $(aws iam list-server-certificates \
  --query "ServerCertificateMetadataList[?Expiration<'$NOW'].ServerCertificateName" \
  --output text); do
  # confirm not referenced by any ELB listener or CloudFront distribution first
  aws iam delete-server-certificate --server-certificate-name "$name"
  echo "deleted expired IAM certificate: $name"
done

Full walkthrough (console steps, edge cases and verification) in the lesson Manage and renew TLS certificates.

Is ACM.2 a false positive?

ACM refuses to delete a certificate still associated with a resource (ResourceInUseException) — that is a safety interlock, not an error. It guarantees you cannot break TLS by deleting the old cert before traffic has moved to the new one.

Full lesson Manage and renew TLS certificates Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for ACM controls ↗ Check your own account for ACM.2 →

Part of the learning path Encrypt everything

ACM.1 Certificates are close to expiry