AWS Security ChangesHomeSearch

AWS serverless-application-model documentation change

Service: serverless-application-model · 2026-04-22 · Documentation medium

File: serverless-application-model/latest/developerguide/sam-resource-api.md

Summary

Added EndpointAccessMode and SecurityPolicy properties for REST API configuration, with SecurityPolicy specifying TLS version plus cipher suite

Security assessment

This change adds documentation for two new security-related properties: SecurityPolicy (for TLS/cipher suite configuration) and EndpointAccessMode (required for enhanced security policies). This enhances security documentation but doesn't indicate remediation of a specific security issue.

Diff

diff --git a/serverless-application-model/latest/developerguide/sam-resource-api.md b/serverless-application-model/latest/developerguide/sam-resource-api.md
index 01cf80ba0..b1a64c315 100644
--- a//serverless-application-model/latest/developerguide/sam-resource-api.md
+++ b//serverless-application-model/latest/developerguide/sam-resource-api.md
@@ -49,0 +50 @@ To declare this entity in your AWS Serverless Application Model (AWS SAM) templa
+      EndpointAccessMode: String
@@ -61,0 +63 @@ To declare this entity in your AWS Serverless Application Model (AWS SAM) templa
+      SecurityPolicy: String
@@ -248,0 +251,13 @@ _CloudFormation compatibility_ : This property is similar to the `[EndpointConfi
+`EndpointAccessMode`
+    
+
+The access mode for the REST API endpoint. Required when using enhanced security policies (those prefixed with `SecurityPolicy_`).
+
+_Valid values_ : `STRICT` or `BASIC`
+
+_Type_ : String
+
+_Required_ : No
+
+_CloudFormation compatibility_ : This property is passed directly to the `[EndpointAccessMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-endpointaccessmode)` property of an `AWS::ApiGateway::RestApi` resource.
+
@@ -381,0 +397,11 @@ _CloudFormation compatibility_ : This property is passed directly to the [ Polic
+`SecurityPolicy`
+    
+
+The TLS version plus cipher suite for the REST API. When using enhanced security policies (those prefixed with `SecurityPolicy>`), you must also set the`EndpointAccessMode`.
+
+_Type_ : String
+
+_Required_ : No
+
+_CloudFormation compatibility_ : This property is passed directly to the `[SecurityPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-securitypolicy)` property of an `AWS::ApiGateway::RestApi` resource.
+