APIGateway.2: REST stages should use SSL certs for backend auth

What does AWS Security Hub APIGateway.2 check?

APIGateway.2 fails when a REST API stage doesn't have a client SSL certificate configured for backend authentication. The certificate lets the backend verify that requests genuinely came from API Gateway.

Why does APIGateway.2 matter?

A public API can have Cognito auth, WAF, and throttling and still be bypassed if the backend origin is directly reachable — a tester who finds the ALB's DNS name can curl it and walk straight past every gateway control. The client certificate gives the backend a way to reject anything that didn't traverse the gateway, turning that direct curl into a TLS handshake error.

How do I fix APIGateway.2?

1. Generate a client certificate with generate-client-certificate.
2. Attach it to each stage by setting clientCertificateId via update-stage.
3. Configure the backend (origin server or load balancer) to require and verify that certificate.
4. Track certificate expiry so rotation doesn't silently break the path.

# Raise the search-domain TLS policy and keep HTTPS enforced (no downtime, no re-index).
aws opensearch update-domain-config \
  --domain-name logs-prod \
  --domain-endpoint-options '{"EnforceHTTPS":true,"TLSSecurityPolicy":"Policy-Min-TLS-1-2-PFS-2023-10"}'

# Pin an API Gateway custom domain to a recommended TLS security policy.
aws apigateway update-domain-name \
  --domain-name api.example.com \
  --patch-operations op=replace,path=/securityPolicy,value=TLS_1_2

# Confirm the live policy once the domain settles.
aws opensearch describe-domain-config --domain-name logs-prod \
  --query 'DomainConfig.DomainEndpointOptions.Options.TLSSecurityPolicy' \
  --output text