AWS API endpoint still supports TLS 1.0 & 1.1?
Using API Gateway, I have an API endpoint which is used in our application for various purposes. We are not using a custom domain name for this API and use POST and OPTIONS request to trigger a Lambda function that returns the response sent back to the user through the API. The API endpoint is regional.
My company's cybersecurity team found that this endpoint allowed TLS 1.0 and 1.1 and mandated that we updated the API to raise the minimum support to TLS 1.2.
Running nmap and sslscan can be used to verify that this is indeed true:
https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/ shows that the 1.0 and 1.1 protocols should have been deprecated after 06/28/2023, yet they are still showing up from our scans. Has AWS extended the deadline to deprecate these? What changes can I make to ensure that the API endpoint only allows TLS 1.2 and above? I have browsed through all the API settings but I can't seem to find anything to control this. Most of the related material I could find online was for custom domain name APIs, which we do not intend to use and the customer solution is deployed and running and changes can not be made. At the bare minimum, I want to make sure that my team is complying with cybersecurity's mandate of only supporting TLS 1.2 or above protocols asap.
- Newest
- Most votes
- Most comments
Hi,
I would say it depends.
Not all the AWS endpoints were not affected by https://docs.aws.amazon.com/cognito/latest/developerguide/infrastructure-security.html, https://aws.amazon.com/jp/blogs/security/tls-1-2-required-for-aws-endpoints/ since july 2023.
For example Cognito:
But worked for AWS Secrets Manager, it was updated and uses 1.2 and 1.3 only.
FISP endpoints can be used, to be sure that TLS 1.2 is in use:
At any rate it can be work around by CloudFront (https://aws.amazon.com/blogs/security/protect-public-clients-for-amazon-cognito-by-using-an-amazon-cloudfront-proxy/) as CloudFront has an option to enforce security https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html and uses TLS v1.2.
Have a look at this answer (the one highlighted in blue, with upvotes) https://repost.aws/questions/QUyfwlTpWySFKSl3HDZMc4Fg/end-of-support-of-tls1-0-1-1-for-api-gateway-endpoints-with-aws-domains#ANDJ43fZ59Sim--kj6LMiLAA
The deprecation of TLS 1.0 and 1.1 is only for AWS endpoints .... AWS in not deprecating the use of TLS 1.0 and 1.1 on customer-created endpoints - that is: your endpoints that you have created in API Gateway .... in this case your API endpoints in API Gateway will continue to operate past June 2023.
I agree that the blog post that you linked to is very easy to misunderstand on this point.
Relevant content
- asked a year ago
- asked 5 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Is there any way that I could configure the API endpoint to support only TLS 1.2 or above? I do not see any setting that would let me make the desired changes. In fact, I created a new test API and found no configuration setting regarding this while creating that either.
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html#apigateway-custom-domain-tls-version-how-to
You can do this in some cases: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html
Also related: https://repost.aws/articles/ARrEAtmC2qRjOpuPIccOscyQ/why-doesn-t-s3-respect-the-tls-settings-in-my-iam-policy
@Steve_M @Brettski-AWS I appreciate your responses however, these do not apply to my case as they use custom domain names which, as I have already mentioned in the original post, can not be used by me.
Can anyone tell me if this API Gateway rule works for Public URLs generated in Lambda?