diff --git a/aws-encryption-sdk-net/Source/Extern/RSAEncryption.cs b/aws-encryption-sdk-net/Source/Extern/RSAEncryption.cs
index 3e34367f1..8f0c6d5aa 100644
--- a/aws-encryption-sdk-net/Source/Extern/RSAEncryption.cs
+++ b/aws-encryption-sdk-net/Source/Extern/RSAEncryption.cs
@@ -121,6 +121,10 @@ public static byte[] GetPublicKeyFromPrivateKeyPemString(string pem)
         }
 
         public static void GenerateKeyPairBytes(int strength, out byte[] publicKeyBytes, out byte[] privateKeyBytes) {
+            if (strength > 4096)
+            {
+                throw new ArgumentException("AWS Crypto will not generate an RSA Key greater than 4096.");
+            }
             RsaKeyPairGenerator keygen = new RsaKeyPairGenerator();
             SecureRandom secureRandom = new SecureRandom();
             keygen.Init(new RsaKeyGenerationParameters(
diff --git a/src/Crypto/RSAEncryption.dfy b/src/Crypto/RSAEncryption.dfy
index 909c33364..3d613193f 100644
--- a/src/Crypto/RSAEncryption.dfy
+++ b/src/Crypto/RSAEncryption.dfy
@@ -64,7 +64,8 @@ module {:extern "RSAEncryption"} RSAEncryption {
   }
 
   method GenerateKeyPair(strength: StrengthBits)
-      returns (publicKey: PublicKey, privateKey: PrivateKey)
+    returns (publicKey: PublicKey, privateKey: PrivateKey)
+    requires strength <= 4096
     ensures privateKey.Valid()
     ensures publicKey.Valid()
   {
diff --git a/test/AwsCryptographicMaterialProviders/Keyrings/TestRawRSAKeyring.dfy b/test/AwsCryptographicMaterialProviders/Keyrings/TestRawRSAKeyring.dfy
index d51288866..f3ea5ebf8 100644
--- a/test/AwsCryptographicMaterialProviders/Keyrings/TestRawRSAKeyring.dfy
+++ b/test/AwsCryptographicMaterialProviders/Keyrings/TestRawRSAKeyring.dfy
@@ -258,6 +258,7 @@ module TestRawRSAKeying {
     )
     requires |namespace| < UINT16_LIMIT
     requires |name| < UINT16_LIMIT
+    requires keyStrength <= 4096
   {
     publicKey, privateKey := RSAEncryption.GenerateKeyPair(
       keyStrength