AWS Security ChangesHomeSearch

AWS serverless-application-model medium security documentation change

Service: serverless-application-model · 2025-05-10 · Security-related medium

File: serverless-application-model/latest/developerguide/sam-resource-api.md

Summary

Removed 'Policy' property documentation and a detailed example of private API configuration with VPC endpoint security policies

Security assessment

Removal of security policy documentation and example configuration that enforced VPC endpoint restrictions. This could lead to insecure API configurations if users lose guidance on implementing proper access controls. The deleted example contained explicit security policies with Deny conditions based on VPC endpoints.

Diff

diff --git a/serverless-application-model/latest/developerguide/sam-resource-api.md b/serverless-application-model/latest/developerguide/sam-resource-api.md
index 8281a7dec..cf742cb54 100644
--- a//serverless-application-model/latest/developerguide/sam-resource-api.md
+++ b//serverless-application-model/latest/developerguide/sam-resource-api.md
@@ -59 +58,0 @@ To declare this entity in your AWS Serverless Application Model (AWS SAM) templa
-      Policy: JSON
@@ -369,11 +367,0 @@ _AWS CloudFormation compatibility_ : This property is unique to AWS SAM and does
-`Policy`
-    
-
-A policy document that contains the permissions for the API. To set the ARN for the policy, use the `!Join` intrinsic function with `""` as delimiter and values of `"execute-api:/"` and `"*"`.
-
-_Type_ : JSON
-
-_Required_ : No
-
-_AWS CloudFormation compatibility_ : This property is passed directly to the [ Policy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-policy) property of an `AWS::ApiGateway::RestApi` resource.
-
@@ -605,93 +592,0 @@ A Hello World AWS SAM template file that contains a Lambda Function with an API
-### Custom domain with a private API example
-
-A Hello World AWS SAM template file that contains a Lambda function with an API endpoint mapped to a private domain. The template creates a domain access association between a VPC endpoint and the private domain. For more information, see [Custom domain names for private APIs in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-custom-domains.html).
-
-#### YAML
-    
-    
-    AWSTemplateFormatVersion: '2010-09-09'
-    Transform: AWS::Serverless-2016-10-31
-    Description: AWS SAM template configured with a custom domain using a private API
-    
-    Parameters:
-        DomainName:
-          Type: String
-          Default: mydomain.example.com
-        CertificateArn:
-          Type: String
-        HostedZoneId:
-          Type: String
-        VpcEndpointId:
-          Type: String
-        VpcEndpointDomainName:
-          Type: String
-        VpcEndpointHostedZoneId:
-          Type: String
-    
-    Resources:
-      MyFunction:
-        Type: AWS::Serverless::Function
-        Properties:
-          InlineCode: |
-            def handler(event, context):
-                return {'body': 'Hello World!', 'statusCode': 200}
-          Handler: index.handler
-          Runtime: python3.13
-          Events:
-            Fetch:
-              Type: Api
-              Properties:
-                RestApiId:
-                  Ref: MyApi
-                Method: Get
-                Path: /get
-      MyApi:
-        Type: AWS::Serverless::Api
-        Properties:
-          StageName: Prod
-          EndpointConfiguration:
-            Type: PRIVATE
-            VPCEndpointIds:
-            - !Ref VpcEndpointId
-          Policy:
-            Version: '2012-10-17'
-            Statement:
-            - Effect: Allow
-              Principal: '*'
-              Action: execute-api:Invoke
-              Resource: execute-api:/*
-            - Effect: Deny
-              Principal: '*'
-              Action: execute-api:Invoke
-              Resource: execute-api:/*
-              Condition:
-                StringNotEquals:
-                  aws:SourceVpce: !Ref VpcEndpointId
-          Domain:
-            DomainName: !Ref DomainName
-            CertificateArn: !Ref CertificateArn
-            EndpointConfiguration: PRIVATE
-            BasePath:
-            - /
-            Route53:
-              HostedZoneId: !Ref HostedZoneId
-              VpcEndpointDomainName: !Ref VpcEndpointDomainName
-              VpcEndpointHostedZoneId: !Ref VpcEndpointHostedZoneId
-            AccessAssociation:
-              VpcEndpointId: !Ref VpcEndpointId
-            Policy:
-              Version: '2012-10-17'
-              Statement:
-              - Effect: Allow
-                Principal: '*'
-                Action: execute-api:Invoke
-                Resource: execute-api:/*
-              - Effect: Deny
-                Principal: '*'
-                Action: execute-api:Invoke
-                Resource: execute-api:/*
-                Condition:
-                  StringNotEquals:
-                    aws:SourceVpce: !Ref VpcEndpointId
-    
-