APIGateway.10: V2 integrations should use HTTPS for private connections

What does AWS Security Hub APIGateway.10 check?

APIGateway.10 fails when an API Gateway V2 private integration over a VPC Link has no TlsConfig — meaning the backend hop isn't encrypted. The control inspects the integration's TLS configuration, not the public-facing route protocol.

Why does APIGateway.10 matter?

A VPC Link keeps a backend off the public internet, which many teams mistook for "secure" and so never enabled TLS on the integration hop. Traffic between the gateway and the private backend then travels unencrypted inside the VPC. Setting TlsConfig closes that gap and protects the data even on the internal segment.

How do I fix APIGateway.10?

1. Find private integrations whose TlsConfig is unset.
2. Add a TlsConfig (with serverNameToVerify where the backend presents a real certificate) via update-integration.
3. For self-signed backend certs, configure verification appropriately and confirm the handshake succeeds.
4. Default TLS on integrations in your IaC so new ones land compliant.

# Raise the search-domain TLS policy and keep HTTPS enforced (no downtime, no re-index).
aws opensearch update-domain-config \
  --domain-name logs-prod \
  --domain-endpoint-options '{"EnforceHTTPS":true,"TLSSecurityPolicy":"Policy-Min-TLS-1-2-PFS-2023-10"}'

# Pin an API Gateway custom domain to a recommended TLS security policy.
aws apigateway update-domain-name \
  --domain-name api.example.com \
  --patch-operations op=replace,path=/securityPolicy,value=TLS_1_2

# Confirm the live policy once the domain settles.
aws opensearch describe-domain-config --domain-name logs-prod \
  --query 'DomainConfig.DomainEndpointOptions.Options.TLSSecurityPolicy' \
  --output text