Control: Avoid implementing too much security for certificates

Description

Using RSA keys stronger than 2048 bits or ECDSA keys stronger than 256 bits is a waste of CPU power and might impair user experience.

Usage

Run the control in your terminal:

powerpipe control run net_insights.control.ssl_certificate_avoid_too_much_security

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run net_insights.control.ssl_certificate_avoid_too_much_security --share

Steampipe Tables

net_certificate

Params

Args	Name	Default	Description	Variable
$1	domain_names	`["github.com","microsoft.com"]`	DNS domain names.	domain_names

SQL

select
  common_name as resource,
  case
    when (
      public_key_algorithm = 'RSA'
      and public_key_length > 2048
    ) then 'alarm'
    when (
      public_key_algorithm = 'ECDSA'
      and public_key_length > 256
    ) then 'alarm'
    else 'ok'
  end as status,
  case
    when (
      (
        public_key_algorithm = 'RSA'
        and public_key_length > 2048
      )
      or (
        public_key_algorithm = 'ECDSA'
        and public_key_length > 256
      )
    ) then common_name || ' is using larger keys.'
    else common_name || ' is not using larger keys.'
  end as reason
from
  net_certificate
where
  domain in (
    select
      jsonb_array_elements_text(to_jsonb($1 :: text [ ]))
  )
order by
  common_name;