API Gateway classic custom domains should use secure TLS protocol versions (1.2 and above)¶
Description¶
The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS where possible. Versions prior to TLS 1.2 are deprecated and usage may pose security risks.
Console Remediation Steps¶
Navigate to API Gateway.
In the left navigation, select Custom Domain Names.
Select the domain name to update.
In Domain details, select Edit.
In Minimum TLS version, select TLS 1.2 (recommended).
Select Save.
CLI Remediation Steps¶
To update the API Gateway classic custom domains to use secure TLS protocol versions (1.2 and above):
aws apigateway update-domain-name \
--domain-name <value> \
--patch-operations op='replace',path='/securityPolicy',value='TLS_1_2'
CloudFormation¶
JSON¶
Ensure that AWS::ApiGateway::DomainName uses secure TLS protocol versions (1.2 and above):
{
"Properties" : {
"SecurityPolicy" : "TLS_1_2"
}
}
JSON Example Configuration¶
{
"Type" : "AWS::ApiGateway::DomainName",
"Properties" : {
"SecurityPolicy" : "TLS_1_2"
}
# other required fields
}
YAML¶
Ensure that AWS::ApiGateway::DomainName uses secure TLS protocol versions (1.2 and above):
Properties:
SecurityPolicy: TLS_1_2
YAML Example Configuration¶
Type: AWS::ApiGateway::DomainName
Properties:
SecurityPolicy: TLS_1_2
# other required fields