AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-02-25 · Documentation medium

File: securityhub/latest/userguide/apigateway-controls.md

Summary

Removed control APIGateway.10 which required API Gateway V2 integrations to use HTTPS for private connections

Security assessment

The removal of a security control documentation doesn't indicate a specific security vulnerability. While the control enforced HTTPS for private connections, its removal appears to be a documentation update rather than addressing an incident. No evidence of a security issue is provided in the diff.

Diff

diff --git a/securityhub/latest/userguide/apigateway-controls.md b/securityhub/latest/userguide/apigateway-controls.md
index a92a13ba2..a0e4e4247 100644
--- a//securityhub/latest/userguide/apigateway-controls.md
+++ b//securityhub/latest/userguide/apigateway-controls.md
@@ -5 +5 @@
-[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled[APIGateway.4] API Gateway should be associated with a WAF Web ACL[APIGateway.5] API Gateway REST API cache data should be encrypted at rest[APIGateway.8] API Gateway routes should specify an authorization type[APIGateway.9] Access logging should be configured for API Gateway V2 Stages[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections 
+[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled[APIGateway.4] API Gateway should be associated with a WAF Web ACL[APIGateway.5] API Gateway REST API cache data should be encrypted at rest[APIGateway.8] API Gateway routes should specify an authorization type[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
@@ -191,22 +190,0 @@ To set up access logging, see [Set up CloudWatch API logging using the API Gatew
-## [APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections 
-
-**Category:** Protect > Data Protection > Encryption of data-in-transit
-
-**Severity:** Medium
-
-**Resource type:** `AWS::ApiGatewayV2::Integration`
-
-**AWS Config rule:** [apigatewayv2-integration-private-https-enabled](https://docs.aws.amazon.com/config/latest/developerguide/apigatewayv2-integration-private-https-enabled.html)
-
-**Schedule type:** Change triggered
-
-**Parameters:** None
-
-This control checks whether an API Gateway V2 integration has HTTPS enabled for private connections. The control fails if a private connection doesn't have TLS configured.
-
-VPC Links connect API Gateway to private resources. While VPC Links create private connectivity, they don't inherently encrypt data. Configuring TLS ensures use of HTTPS for end-to-end encryption from client through API Gateway to backend. Without TLS, sensitive API traffic flows unencrypted across private connections. HTTPS encryption protects the traffic through private connections from data interception, man-in-the-middle attacks and credential exposure. 
-
-### Remediation
-
-To enable encryption in transit for private connections in an API Gateway v2 Integration, see [Update a private integration](https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-private-integration.html#set-up-private-integration-update) in the _Amazon API Gateway Developer Guide_. Configure [TLS configuration](https://docs.aws.amazon.com/apigatewayv2/latest/api-reference/apis-apiid-integrations-integrationid.html#apis-apiid-integrations-integrationid-model-tlsconfig) so that the private integration uses HTTPS protocol.
-