AWS API endpoint still supports TLS 1.0 & 1.1?

0

Using API Gateway, I have an API endpoint which is used in our application for various purposes. We are not using a custom domain name for this API and use POST and OPTIONS request to trigger a Lambda function that returns the response sent back to the user through the API. The API endpoint is regional. My company's cybersecurity team found that this endpoint allowed TLS 1.0 and 1.1 and mandated that we updated the API to raise the minimum support to TLS 1.2. Running nmap and sslscan can be used to verify that this is indeed true: sslscan results for the API endpoint.

https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/ shows that the 1.0 and 1.1 protocols should have been deprecated after 06/28/2023, yet they are still showing up from our scans. Has AWS extended the deadline to deprecate these? What changes can I make to ensure that the API endpoint only allows TLS 1.2 and above? I have browsed through all the API settings but I can't seem to find anything to control this. Most of the related material I could find online was for custom domain name APIs, which we do not intend to use and the customer solution is deployed and running and changes can not be made. At the bare minimum, I want to make sure that my team is complying with cybersecurity's mandate of only supporting TLS 1.2 or above protocols asap.

2 Answers
0

Have a look at this answer (the one highlighted in blue, with upvotes) https://repost.aws/questions/QUyfwlTpWySFKSl3HDZMc4Fg/end-of-support-of-tls1-0-1-1-for-api-gateway-endpoints-with-aws-domains#ANDJ43fZ59Sim--kj6LMiLAA

The deprecation of TLS 1.0 and 1.1 is only for AWS endpoints .... AWS in not deprecating the use of TLS 1.0 and 1.1 on customer-created endpoints - that is: your endpoints that you have created in API Gateway .... in this case your API endpoints in API Gateway will continue to operate past June 2023.

I agree that the blog post that you linked to is very easy to misunderstand on this point.

profile picture
EXPERT
Steve_M
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
0

Hi, I would say it depends. Not all the AWS endpoints were not affected by https://docs.aws.amazon.com/cognito/latest/developerguide/infrastructure-security.html, https://aws.amazon.com/jp/blogs/security/tls-1-2-required-for-aws-endpoints/ since july 2023. For example Cognito: E-x: Cognito

But worked for AWS Secrets Manager, it was updated and uses 1.2 and 1.3 only. example

FISP endpoints can be used, to be sure that TLS 1.2 is in use: example

At any rate it can be work around by CloudFront (https://aws.amazon.com/blogs/security/protect-public-clients-for-amazon-cognito-by-using-an-amazon-cloudfront-proxy/) as CloudFront has an option to enforce security https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html and uses TLS v1.2.

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions