This article explains how to secure Amazon API Gateway with specific TLS protocols and cipher suites using Amazon CloudFront to meet organizational compliance requirements.

• Cipher suites combine cryptographic algorithms to secure network connections during TLS/SSL handshakes
• TLS 1.3 is more secure than TLS 1.2, using fewer ciphers and requiring only one round-trip handshake
• API Gateway regional endpoints support only TLS 1.2 and include weak cipher suites
• Edge-optimized API Gateway endpoints support TLS 1.3 but still include weaker cipher suites
• Fronting regional API Gateway with custom CloudFront distribution enables fine-grained TLS cipher control
• CloudFront security policy TLSv1.2_2021 supports only strong cipher suites for both TLS 1.3 and 1.2
• Custom CloudFront distribution provides additional benefits: caching, CORS policies, and global edge network

Organizations requiring strict cipher suite compliance should use a regional API Gateway fronted by a custom CloudFront distribution with appropriate security policies.