APIGateway.11: Domain names should use recommended security policies

What does AWS Security Hub APIGateway.11 check?

APIGateway.11 fails when a custom domain name uses a legacy TLS security policy (such as TLS_1_0) instead of a recommended modern one. The policy sets the floor for what the TLS handshake will accept.

Why does APIGateway.11 matter?

Because TLS negotiates the strongest protocol both sides support, a domain on a legacy policy still speaks TLS 1.2 to a modern browser and looks fine — but it will also accept TLS 1.0 from any client that asks, including an attacker forcing a downgrade. POODLE and BEAST worked exactly this way. Raising the floor removes the weak protocols entirely.

How do I fix APIGateway.11?

1. Audit each custom domain's current securityPolicy.
2. Update legacy domains to a recommended policy (TLS 1.2 or later) via update-domain-name.
3. Allow for the propagation window and confirm the ACM certificate is compatible.
4. Set the modern policy as the default in IaC and add a Config rule to catch drift.

# Raise the search-domain TLS policy and keep HTTPS enforced (no downtime, no re-index).
aws opensearch update-domain-config \
  --domain-name logs-prod \
  --domain-endpoint-options '{"EnforceHTTPS":true,"TLSSecurityPolicy":"Policy-Min-TLS-1-2-PFS-2023-10"}'

# Pin an API Gateway custom domain to a recommended TLS security policy.
aws apigateway update-domain-name \
  --domain-name api.example.com \
  --patch-operations op=replace,path=/securityPolicy,value=TLS_1_2

# Confirm the live policy once the domain settles.
aws opensearch describe-domain-config --domain-name logs-prod \
  --query 'DomainConfig.DomainEndpointOptions.Options.TLSSecurityPolicy' \
  --output text