Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I use a CloudFront cipher security policy to secure my API Gateway alternate domain name?

4 minute read
0

I want to use a cipher security policy to provide additional security for my Amazon API Gateway alternate domain name with an Amazon CloudFront distribution.

Short description

CloudFront supports security protocols and ciphers to make sure that there's secure communication between your viewers or clients and the CloudFront edge locations. CloudFront uses protocols and ciphers based on the security policy that you select for your CloudFront distribution. The security policies in CloudFront are predefined, and you can't add or remove individual ciphers from these policies.

Note: It's a best practice to use the most secure security policy available such as TLSv1.2_2021. CloudFront uses the s2n-tls implementation for TLS. CloudFront supports TLS versions 1.0, 1.1, 1.2, and 1.3. For more information, see What security protocols and ciphers does CloudFront support?

Resolution

To create a CloudFront distribution and add your alternate (custom) domain name, take the following actions. This configuration ensures that all API requests to your alternate domain name route through a CloudFront distribution with a cipher suite policy.

Request or import an ACM certificate

Use the AWS Certificate Manager (ACM) console to request public certificate or import an existing certificate for your alternate domain name.

Create a CloudFront distribution

Complete the following steps:

  1. Open the CloudFront console.
  2. In the navigation pane, choose Distributions, and then choose Create distribution.
  3. For Choose a plan, select a plan for your distribution, and then choose Next.
  4. For Distribution name, enter a name for your distribution.
  5. For Distribution type, choose Single website or app, and then choose Next.
  6. For Origin type, choose API Gateway.
  7. For API Gateway origin, choose Browse APIs, and then select your API Gateway invoke URL. For example, api-id.execute-api.region.amazonaws.com.
  8. Choose the APIGATEWAY Version dropdown list, and choose REST API.
  9. For API name, select your API name, and then choose Choose.
  10. Choose Next.
  11. For Web Application Firewall (WAF), choose Do not enable security protections, and then choose Next.
  12. Choose Create distribution.

Add an alternate domain name

Complete the following steps:

  1. Open the CloudFront console.
  2. In the navigation pane, choose Distributions.
  3. Select your distribution that you created in the previous step.
  4. Choose the General tab, and then for Alternate domain names, choose Add domain.
  5. For Domains, enter the domain name served by your distribution, and then choose Next.
  6. For TLS certificate, select your ACM certificate that you created in the previous step, and then choose Next.
  7. On the Review changes page, choose Add domains.

Create a Route 53 alias record

Complete the following steps:

  1. Open the Route 53 console.
  2. In the navigation pane, choose Hosted zones.
  3. For Hosted zone names, select the hosted zone name of your distribution.
  4. For Records, choose Create record.
  5. For Record name, enter the record name of your distribution.
  6. For Alias, choose the toggle on.
  7. For Route traffic to, enter Alias to CloudFront distribution.
  8. In the Choose distribution search bar, enter your distribution name.
  9. For Routing policy, choose Simple routing.
  10. Choose Create records. The Status changes from PENDING to INSYNC.

(Optional) Update the CloudFront distribution cipher security policy

Complete the following steps:

  1. Open the CloudFront console.
  2. In the navigation pane, choose Distributions.
  3. Select your distribution that you created in the Create a CloudFront distribution section.
  4. Choose the General tab, and then choose Edit.
  5. For Security policy, select your preferred SSL/TLS protocol and ciphers.
    Note: By default, TLS version 1.3 is enabled on all CloudFront distributions.
  6. Choose Save changes.

Note: You can also use the API Gateway console to change your custom domain name's security policy.

Troubleshoot issues

If you receive DNS resolution or SSL certificate mismatch errors, then check your configuration requirements. For more information, see How do I resolve DNS resolution or SSL certificate mismatch errors for my Amazon API Gateway custom domain name?

If you receive certificate expired or "invalid certificate" errors, then check your ACM configuration. For more information, see How can I resolve certificate expired or "invalid certificate" errors when invoking an API Gateway API using a custom domain name?

If the wrong certificate was returned, then see Why was the wrong certificate returned when invoking my API Gateway custom domain name?

To troubleshoot certificate errors with backend integration, see How do I troubleshoot API Gateway SSL certificate errors with backend integration?

Related information

Securing Amazon API Gateway with secure ciphers using Amazon CloudFront

Topics
ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon API Gateway
Language
English
AWS OFFICIALUpdated 11 days ago
No comments

Relevant content