Question

Refering to AWS Cloudfront Documentation, AWS API Gateway supports TLS v1.0, v1.1, v1.2.

But I want to limit the encryption protocols to TLS v1.1 and v1.2 for my Gateway API. Where do I configure this? I do not see any cloudfront distribution for my API. Gateway resource page does not have an option to specify the security protocol.

My API is running in production for last 2 years using a custom domain. Any idea how do I limit my API to TLS V1.1 and V1.2 protocols only in API Gateway?

Answer 1

• API ( application programming interface )- It is a key to get permission to access the code written by other person.
• TLS(Transport layer Security)- is a protocol that provides privacy and data integrity between two communicating applications.

• In case to make API to work with additional Cloud Front distribution, we need to follow these

1. Go to AWS Console, under API Gateway click on  Custom Domain Name and delete the mapped entry
2. Create a new cloudfront distribution with following settings-

Cloudfront settings

1. Provide origin domain name as your Gate API endpoint https://abcdfefg.execute-api.us-east-1.amazonaws.com( provide your endpoint according to your account)
2. Set viewer protocol policy to  HTTPS Only
3. provide origin SSL protocols as TLSv1.2, TLSv1.1 (Uncheck TLSv1)
4. then add a Alternate Domain Name(cName's) to refer to custom domain name
5. and few other defaults after the above changes are completed, accessing the custom domain name on https will enforce the TLS security settings as defined in Cloud Front distribution