Ensure that the latest version of Transport Layer Security (TLS) protocol is enforced for your Amazon API Gateway domains in order to follow security best practices and protect your APIs from potential exploits that can target flaws in the old versions of the TLS. The TLS protocol can be updated to the latest supported version using the security policy associated with each API Gateway domain. An API Gateway domain security policy is a predefined combination of two settings: the minimum TLS version that the API Gateway service uses to communicate with API clients and the cipher suite that API Gateway uses to encrypt the content that it returns to API clients.
This rule can help you work with the AWS Well-Architected Framework.
The Transport Layer Security (TLS) protocol addresses network security problems such as tampering and eavesdropping between a client and a server. Using old and deprecated TLS protocols can increase opportunities for malicious activities such as hacking, Man-in-the-Middle (MITM) and downgrade attacks. By updating the security policy associated with your Amazon API Gateway custom domains you can disable older versions of TLS protocol.
Audit
To determine the minimum TLS version configured for your Amazon API Gateway domains, perform the following actions:
Remediation / Resolution
To update the minimum Transport Layer Security (TLS) protocol version for your Amazon API Gateway custom domain names, perform the following actions:
References
- AWS Documentation
- Amazon API Gateway FAQs
- Choosing a minimum TLS version for a custom domain in API Gateway
- AWS Command Line Interface (CLI) Documentation
- apigateway
- get-domain-names
- get-domain-name
- update-domain-name