API Gateway classic custom domains should use secure TLS protocol versions (1.2 and above)

Description

The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS where possible. Versions prior to TLS 1.2 are deprecated and usage may pose security risks.

Console Remediation Steps

  • Navigate to API Gateway.

  • In the left navigation, select Custom Domain Names.

  • Select the domain name to update.

  • In Domain details, select Edit.

  • In Minimum TLS version, select TLS 1.2 (recommended).

  • Select Save.

CLI Remediation Steps

To update the API Gateway classic custom domains to use secure TLS protocol versions (1.2 and above):

aws apigateway update-domain-name \
  --domain-name <value> \
  --patch-operations op='replace',path='/securityPolicy',value='TLS_1_2'

CloudFormation

JSON

Ensure that AWS::ApiGateway::DomainName uses secure TLS protocol versions (1.2 and above):

{
  "Properties" : {
    "SecurityPolicy" : "TLS_1_2"
  }
}
JSON Example Configuration
{
  "Type" : "AWS::ApiGateway::DomainName",
  "Properties" : {
    "SecurityPolicy" : "TLS_1_2"
  }
  # other required fields
}

YAML

Ensure that AWS::ApiGateway::DomainName uses secure TLS protocol versions (1.2 and above):

Properties:
  SecurityPolicy: TLS_1_2
YAML Example Configuration
Type: AWS::ApiGateway::DomainName
Properties:
  SecurityPolicy: TLS_1_2
  # other required fields