AWS Security ChangesHomeSearch

AWS AWSCloudFormation documentation change

Service: AWSCloudFormation · 2025-06-07 · Documentation medium

File: AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-domainnamev2.md

Summary

Added private domain example with ROUTING_RULE_ONLY mode and VPC endpoint access control policy

Security assessment

The example includes a resource policy with explicit VPC endpoint restrictions (aws:SourceVpce condition) and TLS 1.2, demonstrating security controls. However, this appears to be standard feature documentation rather than addressing a specific security issue.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-domainnamev2.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-domainnamev2.md
index ca6c0e526..52990a8d1 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-domainnamev2.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-domainnamev2.md
@@ -154,0 +155,9 @@ The domain name ID.
+###### 
+
+  * Private custom domain name example
+
+  * Private custom domain name example with routing mode
+
+
+
+
@@ -205,0 +215,53 @@ The following example creates a `DomainNameV2` resource named `MyDomainName`.
+### Private custom domain name example with routing mode
+
+The following example creates a `DomainNameV2` resource named `MyDomainName` with a RoutingMode of `ROUTING_RULE_ONLY`.
+
+#### JSON
+    
+    
+    {
+      "MyDomainName": {
+        "Type": "AWS::ApiGateway::DomainNameV2",
+        "Properties": {
+          "DomainName": "private.example.com",
+          "CertificateArn": "arn:aws:acm:us-west-2:123456789:certificate/abcd-000-1234-0000-000000abcd",
+          "EndpointConfiguration": {
+            "Types": [
+              "PRIVATE"
+            ]
+          },
+          "SecurityPolicy": "TLS_1_2",
+          "Policy": "{\n\"Version\": \"2012-10-17\",\n\"Statement\": [\n{\n\"Effect\": \"Allow\",\n\"Principal\": \"*\",\n\"Action\": \"execute-api:Invoke\",\n\"Resource\": [\n\"execute-api:/*\"\n]\n},\n {\n\"Effect\": \"Deny\",\n\"Principal\": \"*\",\n\"Action\": \"execute-api:Invoke\",\n\"Resource\": [\n\"execute-api:/*\"\n],\n\"Condition\" : {\n\"StringNotEquals\": {\n\"aws:SourceVpce\": \"vpce-abcd1234efg\"\n}\n}\n}\n]\n}",
+          "RoutingMode": "ROUTING_RULE_ONLY"
+        }
+      }
+    }
+
+#### YAML
+    
+    
+    MyDomainName:
+        Type: AWS::ApiGateway::DomainNameV2
+        Properties:
+          DomainName: private.example.com
+          CertificateArn: arn:aws:acm:us-west-2:123456789:certificate/abcd-000-1234-0000-000000abcd
+          EndpointConfiguration:
+            Types:
+              - PRIVATE
+          SecurityPolicy: "TLS_1_2"
+          Policy:
+            Statement:
+                - Action: 'execute-api:Invoke'
+                  Effect: Allow
+                  Principal: '*'
+                  Resource: 'execute-api:/*'
+                - Action: 'execute-api:Invoke'
+                  Condition:
+                    StringNotEquals:
+                      'aws:SourceVpce': !Ref EndpointID
+                  Effect: Deny
+                  Principal: '*'
+                  Resource: 'execute-api:/*'
+            Version: 2012-10-17
+          RoutingMode: ROUTING_RULE_ONLY
+