API Gateway without security policy

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > API Gateway without security policy

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: 4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b

Cloud Provider: AWS

Platform: Terraform

Severity: Medium

Category: Insecure Configurations

Learn More

Provider Reference

Description

The AWS API Gateway custom domain resource should have a security policy explicitly defined to enforce the use of strong encryption protocols. By omitting the security_policy attribute or leaving it unset, as shown below, the domain name may default to an older, less secure version of TLS, making the API vulnerable to downgrade attacks and exposure of sensitive data.

resource "aws_api_gateway_domain_name" "example" {
  domain_name = "api.example.com"
}

Setting security_policy = "TLS_1_2" ensures that only connections using TLS 1.2 are allowed, significantly increasing the security posture of the API endpoint:

resource "aws_api_gateway_domain_name" "example" {
  domain_name     = "api.example.com"
  security_policy = "TLS_1_2"
}

Compliant Code Examples

resource "aws_api_gateway_domain_name" "example4" {
  domain_name              = "api.example.com"
  security_policy = "TLS_1_2"
}

Non-Compliant Code Examples

resource "aws_api_gateway_domain_name" "example2" {
  domain_name              = "api.example.com"
  security_policy = "TLS_1_0"
}

resource "aws_api_gateway_domain_name" "example" {
  domain_name              = "api.example.com"
}