AWS Security ChangesHomeSearch

AWS apigateway medium security documentation change

Service: apigateway · 2026-06-16 · Security-related medium

File: apigateway/latest/developerguide/apigateway-security-policies.md

Summary

Corrected documentation about TLS handshake behavior when using custom domain names

Security assessment

Clarifies that custom domain security policies control TLS handshakes instead of API policies. This prevents misconfiguration risks where customers might incorrectly assume API policies govern TLS, potentially leading to weaker-than-intended TLS configurations.

Diff

diff --git a/apigateway/latest/developerguide/apigateway-security-policies.md b/apigateway/latest/developerguide/apigateway-security-policies.md
index 8b1c374c5..dd5c609a9 100644
--- a//apigateway/latest/developerguide/apigateway-security-policies.md
+++ b//apigateway/latest/developerguide/apigateway-security-policies.md
@@ -76 +76 @@ The following are considerations for security policies for REST APIs in API Gate
-  * Your API can be mapped to a custom domain name with a different security policy than your API. When you invoke that custom domain name, API Gateway uses the security policy of the API to negotiate the TLS handshake. If you disable your default API endpoint, this might affect how callers can invoke your API.
+  * Your API can be mapped to a custom domain name with a different security policy than your API. When you invoke that custom domain name, API Gateway uses the security policy of the custom domain to negotiate the TLS handshake. If you disable your default API endpoint, this might affect how callers can invoke your API.