API Gateway without security policy

문서 > Datadog 보안 > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > API Gateway without security policy

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b

Cloud Provider: AWS

Platform: Terraform

Severity: Medium

Category: Insecure Configurations

Learn More

Provider Reference

Description

The AWS API Gateway custom domain resource should have a security policy explicitly defined to enforce the use of strong encryption protocols. By omitting the security_policy attribute or leaving it unset, as shown below, the domain name may default to an older, less secure version of TLS, making the API vulnerable to downgrade attacks and exposure of sensitive data.

resource "aws_api_gateway_domain_name" "example" {
  domain_name = "api.example.com"
}

Setting security_policy = "TLS_1_2" ensures that only connections using TLS 1.2 are allowed, significantly increasing the security posture of the API endpoint:

resource "aws_api_gateway_domain_name" "example" {
  domain_name     = "api.example.com"
  security_policy = "TLS_1_2"
}

Compliant Code Examples

resource "aws_api_gateway_domain_name" "example4" {
  domain_name              = "api.example.com"
  security_policy = "TLS_1_2"
}

Non-Compliant Code Examples

resource "aws_api_gateway_domain_name" "example2" {
  domain_name              = "api.example.com"
  security_policy = "TLS_1_0"
}

resource "aws_api_gateway_domain_name" "example" {
  domain_name              = "api.example.com"
}