AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-04-10 · Documentation medium

File: securityhub/latest/userguide/apigateway-controls.md

Summary

Added new security control [APIGateway.11] requiring API Gateway domain names to use recommended TLS security policies

Security assessment

Adds a new security control that enforces modern TLS configurations for API Gateway domain names to protect against tampering and eavesdropping. This is a proactive security measure documenting a new compliance control, not addressing a specific reported vulnerability.

Diff

diff --git a/securityhub/latest/userguide/apigateway-controls.md b/securityhub/latest/userguide/apigateway-controls.md
index cd39d259c..22fac3056 100644
--- a//securityhub/latest/userguide/apigateway-controls.md
+++ b//securityhub/latest/userguide/apigateway-controls.md
@@ -5 +5 @@
-[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled[APIGateway.4] API Gateway should be associated with a WAF Web ACL[APIGateway.5] API Gateway REST API cache data should be encrypted at rest[APIGateway.8] API Gateway routes should specify an authorization type[APIGateway.9] Access logging should be configured for API Gateway V2 Stages[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections
+[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled[APIGateway.4] API Gateway should be associated with a WAF Web ACL[APIGateway.5] API Gateway REST API cache data should be encrypted at rest[APIGateway.8] API Gateway routes should specify an authorization type[APIGateway.9] Access logging should be configured for API Gateway V2 Stages[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections[APIGateway.11] API Gateway domain names should use recommended security policies
@@ -212,0 +213,27 @@ To enable encryption in transit for private connections in an API Gateway v2 Int
+## [APIGateway.11] API Gateway domain names should use recommended security policies
+
+**Category:** Protect > Encryption of data-in-transit
+
+**Severity:** Medium
+
+**Resource type:** `AWS::ApiGateway::DomainName`
+
+**AWS Config rule:** [apigateway-domain-name-tls-check](https://docs.aws.amazon.com/config/latest/developerguide/apigateway-domain-name-tls-check.html)
+
+**Schedule type:** Change triggered
+
+**Parameters:**
+
+  * `allowedSecurityPolicies`: `SecurityPolicy_TLS13_1_3_2025_09, SecurityPolicy_TLS13_1_3_FIPS_2025_09, SecurityPolicy_TLS13_1_2_PFS_PQ_2025_09, SecurityPolicy_TLS13_2025_EDGE, SecurityPolicy_TLS12_PFS_2025_EDGE` (not customizable)
+
+
+
+
+This control checks whether an API Gateway domain name is configured to encrypt data in transit by using a recommended security policy. The control fails if the API Gateway domain name isn't configured to use a recommended security policy.
+
+A security policy is a predefined combination of minimum TLS version and cipher suites offered by API Gateway. When your clients establish a TLS handshake to your API or custom domain name, the security policy enforces the TLS version and cipher suite accepted by API Gateway. Security policies protect your APIs and custom domain names from network security problems such as tampering and eavesdropping between a client and server. Using a recommended security policy helps ensure that API Gateway domain names use modern, secure TLS configurations that protect data in transit between clients and your API.
+
+### Remediation
+
+To update the TLS security policy for an API Gateway domain name, see [How to change a security policy](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-security-policies-update.html) in the _Amazon API Gateway Developer Guide_.
+