Enhancing API security with Amazon API Gateway TLS security policies

Compute Blog

This article introduces enhanced TLS security policies for Amazon API Gateway, enabling granular control over TLS configuration to meet compliance standards like PCI DSS, FIPS, and Open Banking.

Configure TLS behavior on all REST API endpoint types: Regional, edge-optimized, and private
Choose from predefined enhanced security policies enforcing minimum TLS versions and cipher suites
Support for TLS 1.3-only policies, hardened TLS 1.2 without CBC ciphers, and post-quantum cryptography
Two endpoint access modes: BASIC (standard behavior) and STRICT (additional validation checks)
Apply security policies during API creation or update existing APIs with BASIC-to-STRICT migration path
Monitor TLS usage via access logs variables: $context.tlsVersion and $context.cipherSuite
Policy updates take up to 15 minutes to propagate; API remains available during changes

Enhanced TLS security policies provide direct control over secure client connections without operational complexity, helping APIs align with evolving security and compliance requirements.

Go to article

The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Nov 20
2025

Amazon API Gateway now supports additional TLS security policies for REST APIs

Jun 7
2024

Amazon API Gateway customers can easily secure APIs using Amazon Verified Permissions

Jan 23
2024

Consuming private Amazon API Gateway APIs using mutual TLS

Jan 25
2024

Secure API authorization in Amazon API Gateway using Microsoft Entra ID

The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Enhancing API security with Amazon API Gateway TLS security policies

Related articles