API Gateway without security policy

Este producto no es compatible con el sitio Datadog seleccionado. ().
Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Metadata

Id: 4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b

Cloud Provider: AWS

Platform: Terraform

Severity: Medium

Category: Insecure Configurations

Learn More

Description

The AWS API Gateway custom domain resource should have a security policy explicitly defined to enforce the use of strong encryption protocols. By omitting the security_policy attribute or leaving it unset, as shown below, the domain name may default to an older, less secure version of TLS, making the API vulnerable to downgrade attacks and exposure of sensitive data.

resource "aws_api_gateway_domain_name" "example" {
  domain_name = "api.example.com"
}

Setting security_policy = "TLS_1_2" ensures that only connections using TLS 1.2 are allowed, significantly increasing the security posture of the API endpoint:

resource "aws_api_gateway_domain_name" "example" {
  domain_name     = "api.example.com"
  security_policy = "TLS_1_2"
}

Compliant Code Examples

resource "aws_api_gateway_domain_name" "example4" {
  domain_name              = "api.example.com"
  security_policy = "TLS_1_2"
}

Non-Compliant Code Examples

resource "aws_api_gateway_domain_name" "example2" {
  domain_name              = "api.example.com"
  security_policy = "TLS_1_0"
}

resource "aws_api_gateway_domain_name" "example" {
  domain_name              = "api.example.com"
}