Use Secure TLS Policy | Vulnerability Database

API Gateway domain name uses outdated SSL/TLS protocols.

You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

Impact

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Use the most modern TLS/SSL policies available

1
2
3
4
5
6
7
resource "aws_api_gateway_domain_name" "good_example" {
  security_policy      = "SecurityPolicy_TLS13_1_2_PFS_PQ_2025_09"
  endpoint_access_mode = "STRICT"
  endpoint_configuration {
    types = ["REGIONAL"]
  }
}

1
2
3
4
5
6
7
resource "aws_api_gateway_domain_name" "good_example" {
  security_policy      = "SecurityPolicy_TLS12_PFS_2025_EDGE"
  endpoint_access_mode = "STRICT"
  endpoint_configuration {
    types = ["EDGE"]
  }
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_domain_name#security_policy-1
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-security-policies-list.html