Minimum TLS version for API Gateway

The APIs created with Amazon API Gateway expose HTTPS endpoints only. API Gateway doesn’t support unencrypted (HTTP) endpoints.

TLS offers multiple versions and It is recommended to use the later versions of TLS protocol as they offer more security features. Therefore, It is a common requirement to enforce a minimum TLS version on API Gateway.

In this article we will try to understand various TLS version supported by API gateway endpoints and how we can enforce minimum version of TLS for API gateway.

What is TLS ?

Transport Layer Security abbreviated as TLS is a cryptographic protocol designed to provide secure communication between web browsers and servers.TLS is a succesor of Secure Socket Layer (SSL) protocol. Sometimes, TLS is also referred as SSL.

Read more here – https://cloudnamaste.com/understanding-tls-protocol

How is TLS version Determined ?

The client sends a ClientHello message to the server which contains the maximum TLS version it supports as well as a list of cipher suites it supports in order of preference. The server than decides which TLS version and cipher suite it wants to use for the TLS connection and informs the client by replying with a ServerHello.

Ideally the highest TLS version and strongest cipher suite should be selected, but the TLS specification does not guarantee this. The server is free to use whatever it wants out of the list provided by the client.

Enforcing a TLS version for API Gateway

For greater security, API Gateway allows to choose a minimum Transport Layer Security (TLS) protocol version to be enforced through API Gateway custom domain. Minimum version of TLS version API Gateway support is TLS version 1.0

Private REST API, WebSocket APIs and HTTP APIs support only TLS 1.2.

API Gateway allows you to provide a security policy when creating custom domain names. When your clients establish a TLS handshake to your API through the custom domain, the security policy enforces the TLS version and cipher suite options your clients can choose to use.

In custom domain settings, a security policy determines two settings:

  • The minimum TLS version that API Gateway uses to communicate with API clients
  • The cipher that API Gateway uses to encrypt the content that it returns to API clients
Option to select Minimum TLS version in Custom Domain Name settings

Enforcing minimum TLS version 1.3 on API Gateway

Minimum TLS version 1.3 is only possible through CloudFront. You can choose one of the below setup as per your use-case:

  1. Use Edge-optimized API endpoint : Edge-optimized API endpoints are backed by the default CloudFront distribution managed in AWS account
  2. Regional API with a Edge-Optimized custom domain name with security policy TLS1.2. Edge-Optimized custom domain name will create a AWS managed CloudFront distribution in front of the API and on CloudFront set a security policy.
Note: With the default CloudFront distribution created by API gateway It is not possible to disable TLSv1.3 If you would want more control on mimimum TLS version used by CloudFront use a custom cloudfront distribution as suggested in point 3 where you can specify the security policy based on your security and compliance requirements.

3. If you need more control on the CloudFront distribution, Create a CloudFront distribution in your account and use Regional API Gateway endpoint as origin. See : set up API Gateway with my own CloudFront distribution

Supported security policies, TLS protocol versions, and ciphers for edge-optimized API endpoints in API Gateway

Supported SSL/TLS protocols and ciphers for regional, private, and WebSocket API endpoints in API Gateway

References

Data encryption in Amazon API Gateway

Choosing a minimum TLS version for a custom domain in API Gateway