API Gateway v2 custom domains should use secure TLS protocol versions (1.2 and above)¶
Description¶
The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS where possible. Versions prior to TLS 1.2 are deprecated and usage may pose security risks.
Remediation Steps¶
AWS Console¶
Navigate to API Gateway.
In the left navigation, select Custom Domain Names.
Select the domain name to update.
In Domain details, select Edit.
In Minimum TLS version, select TLS 1.2 (recommended).
Select Save.
AWS CLI¶
To update the API Gateway v2 custom domains to use secure TLS protocol versions (1.2 and above):
aws apigatewayv2 update-domain-name \
--domain-name <value> \
--domain-name-configurations SecurityPolicy=TLS_1_2
CloudFormation¶
JSON¶
Ensure that AWS::ApiGatewayV2::Api contains the following:
{
"Properties" : {
"Name" : "Example-api-v2",
"ProtocolType" : "HTTP",
"Version" : "1.2"
}
}
JSON Example Configuration¶
{
"Type" : "AWS::ApiGatewayV2::Api",
"Properties" : {
"Name" : "Example-api-v2",
"ProtocolType" : "HTTP",
"Version" : "1.2"
}
# other required fields here
}
YAML¶
Ensure that AWS::ApiGatewayV2::Api contains the following:
Properties:
Name: Example-api-v2
ProtocolType: HTTP
Version: '1.2'
YAML Example Configuration¶
Type: AWS::ApiGatewayV2::Api
Properties:
Name: Example-api-v2
ProtocolType: HTTP
Version: '1.2'
# other required fields here
Terraform¶
Ensure that the API Gateway V2
versionfield is set to 1.2 and above.version = "1.2"
Example¶
resource "aws_apigatewayv2_api" "example" {
name = "example-http-api"
protocol_type = "HTTP"
version = "1.2"
}