AWS Security ChangesHomeSearch

AWS appsync medium security documentation change

Service: appsync · 2025-05-25 · Security-related medium

File: appsync/latest/devguide/custom-domain-name.md

Summary

Clarified certificate requirements for custom domain names to explicitly require public/imported ACM certificates in us-east-1

Security assessment

Explicitly requiring public/imported ACM certificates prevents potential misconfigurations where private/invalid certificates might be used, which could lead to TLS validation failures or man-in-the-middle attacks. This addresses a security best practice for certificate management.

Diff

diff --git a/appsync/latest/devguide/custom-domain-name.md b/appsync/latest/devguide/custom-domain-name.md
index df343905a..3a2439ebb 100644
--- a//appsync/latest/devguide/custom-domain-name.md
+++ b//appsync/latest/devguide/custom-domain-name.md
@@ -76,6 +76 @@ AWS AppSync supports custom domain names by leveraging Server Name Indication (S
-To set up a custom domain name as the API's hostname, the API owner must provide an SSL/TLS certificate for the custom domain name. To provide a certificate, do one of the following:
-
-  * Request a new certificate in ACM, or import a certificate issued by a third-party certificate authority into ACM in the `us-east-1` AWS Region (US East (N. Virginia)). For more information about ACM, see [What is AWS Certificate Manager?](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html) in the _AWS Certificate Manager User Guide_.
-
-
-
+To set up a custom domain name as the API's hostname, the API owner must provide a public or imported ACM certificate in the `us-east-1` _AWS Region (US East (N. Virginia))_ that covers the custom domain name. For more information about ACM, see [What is AWS Certificate Manager?](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html) in the _AWS Certificate Manager User Guide_.