AWS Security ChangesHomeSearch

AWS serverless-application-model documentation change

Service: serverless-application-model · 2025-04-11 · Documentation medium

File: serverless-application-model/latest/developerguide/sam-property-api-domainconfiguration.md

Summary

Added support for PRIVATE endpoint configuration with DomainNameV2 resource, introduced Policy property for IAM policies on private endpoints, and clarified TLS 1.2 requirement for private endpoints

Security assessment

The changes document security-related configurations (IAM policies and TLS 1.2 enforcement) for private API Gateway endpoints, but there's no evidence of addressing a specific security vulnerability

Diff

diff --git a/serverless-application-model/latest/developerguide/sam-property-api-domainconfiguration.md b/serverless-application-model/latest/developerguide/sam-property-api-domainconfiguration.md
index 4921cc3a1..a79286725 100644
--- a//serverless-application-model/latest/developerguide/sam-property-api-domainconfiguration.md
+++ b//serverless-application-model/latest/developerguide/sam-property-api-domainconfiguration.md
@@ -24,0 +25 @@ To declare this entity in your AWS Serverless Application Model (AWS SAM) templa
+      Policy: Json
@@ -68 +69 @@ _Required_ : Yes
-_AWS CloudFormation compatibility_ : This property is similar to the `[CertificateArn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-certificatearn)` property of an `AWS::ApiGateway::DomainName` resource. If `EndpointConfiguration` is set to `REGIONAL` (the default value), `CertificateArn` maps to [RegionalCertificateArn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-regionalcertificatearn) in `AWS::ApiGateway::DomainName`. If the `EndpointConfiguration` is set to `EDGE`, `CertificateArn` maps to [CertificateArn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-certificatearn) in `AWS::ApiGateway::DomainName`.
+_AWS CloudFormation compatibility_ : This property is similar to the `[CertificateArn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-certificatearn)` property of an `AWS::ApiGateway::DomainName` resource. If `EndpointConfiguration` is set to `REGIONAL` (the default value), `CertificateArn` maps to [RegionalCertificateArn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-regionalcertificatearn) in `AWS::ApiGateway::DomainName`. If the `EndpointConfiguration` is set to `EDGE`, `CertificateArn` maps to [CertificateArn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-certificatearn) in `AWS::ApiGateway::DomainName`. If `EndpointConfiguration` is set to `PRIVATE`, this property is passed to the [AWS::ApiGateway::DomainNameV2](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainnamev2) resource.
@@ -83 +84 @@ _Required_ : Yes
-_AWS CloudFormation compatibility_ : This property is passed directly to the `[DomainName](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-domainname)` property of an `AWS::ApiGateway::DomainName` resource.
+_AWS CloudFormation compatibility_ : This property is passed directly to the `[DomainName](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-domainname)` property of an `AWS::ApiGateway::DomainName` resource, or to [`AWS::ApiGateway::DomainNameV2`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainnamev2) when EndpointConfiguration is set to `PRIVATE`.
@@ -121,0 +123,11 @@ _AWS CloudFormation compatibility_ : This property is passed directly to the `[O
+`Policy`
+    
+
+The IAM policy to attach to the API Gateway domain name. Only applicable when `EndpointConfiguration` is set to `PRIVATE`.
+
+_Type_ : Json
+
+_Required_ : No
+
+_AWS CloudFormation compatibility_ : This property is passed directly to the `Policy` property of an `AWS::ApiGateway::DomainNameV2` resource when `EndpointConfiguration` is set to `PRIVATE`. For examples of valid policy documents, see [AWS::ApiGateway::DomainNameV2](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainnamev2).
+
@@ -142 +154 @@ _Required_ : No
-_AWS CloudFormation compatibility_ : This property is passed directly to the `[SecurityPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-securitypolicy)` property of an `AWS::ApiGateway::DomainName` resource.
+_AWS CloudFormation compatibility_ : This property is passed directly to the `[SecurityPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-securitypolicy)` property of an `AWS::ApiGateway::DomainName` resource, or to [`AWS::ApiGateway::DomainNameV2`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainnamev2) when `EndpointConfiguration` is set to `PRIVATE`. For `PRIVATE` endpoints, only TLS_1_2 is supported.