- Newest
- Most votes
- Most comments
Hi, I would say it depends. Not all the AWS endpoints were not affected by https://docs.aws.amazon.com/cognito/latest/developerguide/infrastructure-security.html, https://aws.amazon.com/jp/blogs/security/tls-1-2-required-for-aws-endpoints/ since july 2023. For example Cognito:
But worked for AWS Secrets Manager, it was updated and uses 1.2 and 1.3 only.
FISP endpoints can be used, to be sure that TLS 1.2 is in use:
At any rate it can be work around by CloudFront (https://aws.amazon.com/blogs/security/protect-public-clients-for-amazon-cognito-by-using-an-amazon-cloudfront-proxy/) as CloudFront has an option to enforce security https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html and uses TLS v1.2.
Have a look at this answer (the one highlighted in blue, with upvotes) https://repost.aws/questions/QUyfwlTpWySFKSl3HDZMc4Fg/end-of-support-of-tls1-0-1-1-for-api-gateway-endpoints-with-aws-domains#ANDJ43fZ59Sim--kj6LMiLAA
The deprecation of TLS 1.0 and 1.1 is only for AWS endpoints .... AWS in not deprecating the use of TLS 1.0 and 1.1 on customer-created endpoints - that is: your endpoints that you have created in API Gateway .... in this case your API endpoints in API Gateway will continue to operate past June 2023.
I agree that the blog post that you linked to is very easy to misunderstand on this point.
Relevant content
- asked 2 years ago
- asked 6 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
Is there any way that I could configure the API endpoint to support only TLS 1.2 or above? I do not see any setting that would let me make the desired changes. In fact, I created a new test API and found no configuration setting regarding this while creating that either.
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html#apigateway-custom-domain-tls-version-how-to
You can do this in some cases: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html
Also related: https://repost.aws/articles/ARrEAtmC2qRjOpuPIccOscyQ/why-doesn-t-s3-respect-the-tls-settings-in-my-iam-policy
@Steve_M @Brettski-AWS I appreciate your responses however, these do not apply to my case as they use custom domain names which, as I have already mentioned in the original post, can not be used by me.
Can anyone tell me if this API Gateway rule works for Public URLs generated in Lambda?