AWS Security ChangesHomeSearch

AWS apigateway high security documentation change

Service: apigateway · 2026-06-16 · Security-related high

File: apigateway/latest/developerguide/apigateway-security-policies-update.md

Summary

Corrected documentation about TLS policy precedence for custom domains

Security assessment

Fixed critical documentation error that incorrectly stated API security policies override custom domain TLS settings. Prevents potential misconfiguration where strong custom domain TLS policies could be unintentionally overridden.

Diff

diff --git a/apigateway/latest/developerguide/apigateway-security-policies-update.md b/apigateway/latest/developerguide/apigateway-security-policies-update.md
index 3f7b3a46d..828e42dcd 100644
--- a//apigateway/latest/developerguide/apigateway-security-policies-update.md
+++ b//apigateway/latest/developerguide/apigateway-security-policies-update.md
@@ -9 +9 @@
-You can change the security policy for your API. If you are sending traffic to your APIs through your custom domain name, the API and the custom domain name don't need to have the same security policy. When you invoke that custom domain name, API Gateway uses the security policy of the API to negotiate the TLS handshake. However, for consistency, we recommend that you use the same security policy for your custom domain name and API.
+You can change the security policy for your API. If you are sending traffic to your APIs through your custom domain name, the API and the custom domain name don't need to have the same security policy. When you invoke that custom domain name, API Gateway uses the security policy of the custom domain to negotiate the TLS handshake. However, for consistency, we recommend that you use the same security policy for your custom domain name and API.