Compliance

Enforce TLS on APIs and search domains

One capability across API Gateway and OpenSearch and Elasticsearch: every public endpoint uses a strong, current TLS policy, and the hop to the backend behind the gateway is encrypted too.

13 min·10 sections·AWS

Last reviewed 16 June 2026

Remediates AWS Security Hub: APIGateway.2 APIGateway.10 APIGateway.11 ES.8 Opensearch.8

TLS on APIs and search: the basics

Why an HTTPS endpoint can still be a weak one

API Gateway custom domains and OpenSearch and Elasticsearch domains all answer over HTTPS, and most teams stop checking once they see HTTPS is on. But TLS is not a single setting. Each endpoint advertises a security policy that decides which protocol versions and cipher suites it will accept during the handshake, and an old policy negotiates down to TLS 1.0 or weak ciphers if a client asks. A connection can be encrypted in the browser and still negotiated insecurely, which is precisely how downgrade attacks like POODLE and BEAST worked: they did not break modern TLS, they tricked the server into using an old protocol it should never have left enabled.

Security Hub turns this idea into several controls across the API and search surface. APIGateway.11 fails an API Gateway custom domain that is not pinned to a recommended TLS security policy. ES.8 and Opensearch.8 fail an Elasticsearch or OpenSearch domain whose TLSSecurityPolicy is not the latest (currently Policy-Min-TLS-1-2-PFS-2023-10) or where HTTPS is not enforced. APIGateway.10 fails an HTTP API V2 private integration whose backend hop over a VPC Link has no TLS configured, and APIGateway.2 fails a REST API stage with no client-side SSL certificate to prove the caller really is the gateway. They look like separate findings, but they are one capability: the floor on every TLS connection in front of, and behind, these services should be high.

The fixes are cheap and standard, and they split into two shapes. Raising a TLS security policy on a custom domain or a search domain is a single configuration field applied with no downtime and no data migration. Encrypting the backend hop is a property on the integration (a TlsConfig block) or the stage (a client certificate). The work is finding every endpoint and confirming no genuinely ancient client breaks before you raise the floor.

In this lesson you will learn what a TLS security policy actually negotiates on an API Gateway custom domain and a search domain, why "HTTPS enabled" and "latest TLS policy" are different checks, and why a private backend hop is not automatically an encrypted one. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The handshake that quietly steps down, and the private path that lulls you to sleep

Two assumptions cause most findings in this group. The first is that HTTPS means strong: TLS is a negotiation, and a domain on a legacy policy will happily speak TLS 1.2 to a modern browser while still accepting TLS 1.0 from any client that asks, including an attacker forcing a downgrade. The fix was never about the strong end of the range, it was always about raising the floor. The second is that private means encrypted: a VPC Link gives API Gateway a private network path to a backend, and because it solved the "do not expose my service to the internet" problem so cleanly, many teams equated reachable-only-through-a-VPC-Link with secure and never enabled TLS on the backend hop. APIGateway.10 exists to catch every integration where the link was created but the encryption toggle was never flipped.

Finding weak and unencrypted endpoints across an estate

Dev runs the security cadence at a logistics company. Security Hub flags a spread of findings across API Gateway and OpenSearch in two accounts: custom domains on a legacy TLS policy, a search domain still permitting TLS 1.0, and an HTTP API integration forwarding to its backend in clear text.

Rather than work them one by one, he starts by reading the current TLS policy on the flagged search domain, since "HTTPS is on" tells him nothing about how strong the accepted handshakes are.

Read the endpoint options on the flagged OpenSearch domain to confirm which TLS policy it is on and whether HTTPS is enforced.

$ aws opensearch describe-domain-config --domain-name logs-prod --query 'DomainConfig.DomainEndpointOptions.Options'

{

"EnforceHTTPS": true,

"TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07",

"CustomEndpointEnabled": false

}

# HTTPS is enforced, but the policy still permits TLS 1.0 - the finding fires.

HTTPS on is not enough; the policy name is what Opensearch.8 and ES.8 evaluate.

How the API and search TLS controls workdeep dive

A TLS security policy is an AWS-managed bundle of a minimum protocol version plus an allowed cipher list, and it sets the floor on how weak a handshake may go. On a search domain the field is TLSSecurityPolicy inside DomainEndpointOptions: Policy-Min-TLS-1-0-2019-07 permits TLS 1.0 and up, Policy-Min-TLS-1-2-2019-07 raises the floor to TLS 1.2, and Policy-Min-TLS-1-2-PFS-2023-10 keeps the 1.2 floor and restricts ciphers to perfect-forward-secrecy suites only. ES.8 and Opensearch.8 fail if HTTPS is not enforced or the policy is not the latest, and the change applies as a domain configuration update with no re-index: the domain transitions to Processing and returns to Active with the narrower handshake rules live. On an API Gateway custom domain the equivalent field is securityPolicy on the AWS::ApiGateway::DomainName resource, which APIGateway.11 checks against the recommended policies.

The backend-hop controls are about the connection behind the gateway, not the public edge. APIGateway.10 reads the TlsConfig on an AWS::ApiGatewayV2::Integration: a VPC Link controls where the traffic goes, not whether it is encrypted, so an integration with no TlsConfig forwards to the backend over plain HTTP even when the public route is HTTPS-only. APIGateway.2 reads the client certificate on an AWS::ApiGateway::Stage: API Gateway can present a generated SSL certificate to the backend so the origin can verify the caller really is the gateway and reject anything that bypasses it.

The one real-world risk across the policy-raising controls is client compatibility. Raising the floor to TLS 1.2 breaks any client that can only speak TLS 1.0/1.1, in practice very old SDKs, legacy JVMs without modern TLS enabled, or hand-rolled HTTP clients. Every current AWS SDK, browser and language runtime negotiates TLS 1.2+ by default, so the safe move is to inventory connecting clients before flipping a production endpoint, then apply with confidence. For API Gateway domains, also note that edge-optimised and regional domains and the propagation window mean the change is not always instant.

What is the impact of a weak or unencrypted endpoint?

The direct impact is a downgrade and interception exposure. As long as an endpoint advertises an old policy, a client or an attacker positioned between client and server can negotiate the connection down to TLS 1.0 or a non-PFS cipher suite. The traffic is still encrypted, but with a protocol that has documented weaknesses and without forward secrecy, so a future key compromise could expose previously recorded sessions. For the backend-hop controls the exposure is starker: an unencrypted private integration carries credentials and personal data in clear text across the VPC, readable by any host, mirror or logging agent with visibility into that segment.

The compliance impact is usually the more immediate one. These controls map to PCI DSS and the NIST 800-53 data-in-transit family (SC-8, SC-13, SC-23) and authenticator-management controls. An open finding is a concrete audit exception that surfaces in a SOC 2 review, a customer security questionnaire or a contractual remediation clause with a fixed window. Unlike a cost finding it does not grow over time, but it blocks attestations until it is closed.

There is effectively no cost impact. Raising a TLS policy or encrypting a backend hop does not change the instance type, storage or request billing. The only operational cost is the small risk of breaking a legacy client that cannot do TLS 1.2, which is why the inventory-before-flip step matters; for any modern client fleet that risk is zero.

The second-order impact is what a recurring finding signals. If new domains and integrations keep launching on the old policy or without backend TLS, the problem is not the individual endpoint, it is that the provisioning templates default to an outdated or incomplete setting. That same defaults gap usually shows up across other resource types too, so a persistent finding here is a useful early warning that secure-by-default is not wired into how infrastructure gets created.

How do you enforce TLS on APIs and search safely?

Work the capability as one loop. The order matters: inventory every endpoint, confirm no legacy client will break, raise the policy and encrypt the backend hop, then bake the standard into provisioning so new endpoints launch compliant.

1. Inventory every domain, integration and stage

List all API Gateway custom domains and their securityPolicy, every OpenSearch and Elasticsearch domain and its TLSSecurityPolicy and EnforceHTTPS, every HTTP API V2 private integration and whether it has TlsConfig, and every REST API stage and whether a client certificate is attached. This is read-only and safe to run across production at any time. Anything not on the latest policy, or missing backend TLS, is a remediation candidate.

2. Confirm no legacy client depends on the weak setting

The only thing that breaks when you raise the floor to TLS 1.2 is a client that cannot negotiate it, in practice very old SDKs or runtimes. Check connecting clients through access logs or CloudTrail data events, or the owning team's knowledge of the integrations. Modern AWS SDKs, browsers and runtimes all do TLS 1.2 by default, so for most fleets this is a quick confirmation rather than a project.

3. Raise the policy and encrypt the backend hop

Set the search domain TLSSecurityPolicy to Policy-Min-TLS-1-2-PFS-2023-10 with EnforceHTTPS true in a single update-domain-config call, and pin the API Gateway custom domain to a recommended securityPolicy with update-domain-name. For the backend hop, add a TlsConfig to the V2 integration pointed at the backend's HTTPS listener, and associate a client certificate with the REST API stage. Verify afterwards that the live configuration shows the new values.

4. Make the latest standard the provisioning default

Set the TLS policy and backend-encryption properties in your CloudFormation, Terraform or CDK modules so every new endpoint launches compliant, and add AWS Config rules or Service Control Policies to catch drift. This is what turns a recurring finding into a one-time event: the cleanup loop only stays empty if new endpoints arrive already compliant.

# Raise the search-domain TLS policy and keep HTTPS enforced (no downtime, no re-index).
aws opensearch update-domain-config \
  --domain-name logs-prod \
  --domain-endpoint-options '{"EnforceHTTPS":true,"TLSSecurityPolicy":"Policy-Min-TLS-1-2-PFS-2023-10"}'

# Pin an API Gateway custom domain to a recommended TLS security policy.
aws apigateway update-domain-name \
  --domain-name api.example.com \
  --patch-operations op=replace,path=/securityPolicy,value=TLS_1_2

# Confirm the live policy once the domain settles.
aws opensearch describe-domain-config --domain-name logs-prod \
  --query 'DomainConfig.DomainEndpointOptions.Options.TLSSecurityPolicy' \
  --output text

Quick quiz

Question 1 of 5

Security Hub shows findings across API Gateway custom domains and an OpenSearch domain, all about TLS. What is the most efficient way to think about them?

Keep learning

Go deeper on TLS policy and backend encryption across the API and search surface.

You can now treat TLS on APIs and search as one capability rather than a scatter of findings: inventory every custom domain, search domain, private integration and REST stage, confirm no legacy client depends on the weak setting, raise the policy and encrypt the backend hop, then make the current standard the provisioning default so new endpoints launch compliant. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

TLS on APIs and search: the cost and risk view

A near-zero-cost capability that auditors and customer questionnaires probe directly

None of this carries a dollar cost. Raising a TLS policy or encrypting a backend hop is a configuration change with no ongoing AWS charge, so this whole capability is a compliance and risk item rather than a cost-optimisation one. It will never show up as a number on the bill; its weight is entirely on the risk side of the ledger.

The exposure is in the audit and sales layer. Weak transport encryption on a public API or search endpoint is exactly what fails a PCI DSS, SOC 2 or HIPAA review, what an enterprise customer's security questionnaire asks about by name, and what becomes a reportable incident if it is ever exploited through a downgrade. The cost of inaction is a failed audit, a stalled deal or breach-notification expense, not an AWS invoice line.

Treat this as cheap insurance. The fixes are low-effort and free, and they remove findings auditors actively look for. When this category appears on a compliance dashboard, the question is not what it costs but why a free, low-effort fix is still open, and whether new endpoints launch on the current standard by default so the same findings do not return each audit cycle.

This lesson is for the finance or governance partner who sees a TLS finding on an API or search endpoint and needs to know whether it is a budget item, a risk item or a tracking item. The short answer is the third one. It covers why these fixes cost nothing, which frameworks care, how they connect to audit readiness and enterprise sales, and the governance levers, remediation SLAs and secure-by-default provisioning, that keep them from recurring.

Fun fact

The handshake that quietly steps down, and the private path that lulls you to sleep

How a finance partner reads a free fix that is still open

Priya, the governance partner at a logistics company, sees the compliance dashboard flag a spread of TLS findings across API Gateway custom domains and an OpenSearch domain, with a PCI DSS assessment booked in five weeks. Her first move is not to ask what it costs, because she already knows the answer: raising a TLS policy or encrypting a backend hop is a configuration change with no ongoing AWS charge and will never appear as a number on the bill. The weight is entirely on the risk side of the ledger.

So the question she puts to the team is the one that actually matters here: why is a free, low-effort fix still open going into an audit, and what is the exposure if it stays that way? She has them confirm there is no genuinely ancient client that breaks when the floor rises to TLS 1.2, since every current AWS SDK, browser and runtime negotiates it by default, so for a modern fleet that is a quick check rather than a project. With that cleared, the findings are cheap insurance to retire before the assessor or the next enterprise security questionnaire probes them by name. The durable ask she records is governance, not budget: that new endpoints launch on the latest TLS standard by default, so the same free findings do not return every audit cycle and turn a one-off cleanup into a recurring chore.

Why this matters to compliance, not the budget

The cost impact is essentially zero. There is nothing to buy and no ongoing spend, just the engineering minutes to apply a setting. So this is not a line item to optimise; it is a compliance obligation to close. The relevant question for finance is timing and exposure, not dollars.

The exposure is in the audit and contract layer. These controls underpin PCI DSS and NIST requirements that customers and auditors check directly. An open medium-severity finding can sit inside a contractual remediation window, typically 30 days, and an overdue one can become a reportable exception or a blocker on a security attestation that sales needs to close a deal. The financial risk is indirect: delayed deals and audit findings, not infrastructure spend.

The durable lever is governance, not remediation budget. Funding a one-off cleanup closes today's finding; requiring that new endpoints launch on the latest TLS standard and with backend encryption by default stops it recurring. That is a provisioning-standard decision with no recurring cost, which makes it one of the cheapest risk reductions on the compliance pack.

What finance can actually do about this

Finance does not run update-domain-config, but it owns the framing that treats TLS as a tracked compliance obligation with a remediation window, not a budget item. Three levers at the risk-and-compliance review.

1. Treat it as a tracking item with an SLA, not a cost line

These fixes carry no AWS spend, so the relevant question for finance is timing and exposure, not dollars. Put each finding inside a contractual remediation window, typically 30 days, and track time-to-close rather than spend. An overdue medium-severity finding can become a reportable exception or a blocker on a security attestation that sales needs, so the metric that matters is whether the window is being met, not what the fix costs.

2. Tie the exposure to audit and sales, not to the bill

The cost of leaving these open is indirect: a failed PCI DSS, SOC 2 or HIPAA review, an enterprise customer's security questionnaire that asks about transport encryption by name, or a stalled deal waiting on a clean attestation. Frame the open finding as a deal and audit risk with a date attached, so it is prioritised against the calendar rather than left to drift because it never shows up as spend on the cloud invoice.

3. Fund the durable lever, which is governance not cleanup

A one-off cleanup closes today's finding; requiring that new endpoints launch on the latest TLS standard and with backend encryption by default stops it recurring. That is a provisioning-standard decision with no recurring cost, which makes it one of the cheapest risk reductions on the compliance pack. Finance should back the secure-by-default change rather than repeatedly funding the same manual cleanup each audit cycle.

Quick quiz

Question 1 of 5

What is the AWS spend impact of fixing the TLS findings in this group?

Keep learning

Go deeper on TLS policy and backend encryption across the API and search surface.

You have finished the finance view of enforcing TLS on APIs and search. You know this is a compliance and tracking item, not a cost one: the fixes carry no AWS spend, so the real exposure is a failed audit, an enterprise questionnaire that probes transport encryption by name, or a stalled deal. Next time these findings land, you will track time-to-close against a remediation window rather than spend, and back the secure-by-default provisioning change that stops the same free findings returning each audit cycle.

Back to the library

TLS on APIs and search: the headline

Whether the company's public API and search endpoints use the current encryption standard, end to end

The company's APIs and search clusters answer on public web addresses, and each one has a rule for how securely clients may connect. This capability is about whether those rules enforce the current standard or still accept outdated, weak encryption, and whether the connections behind the gateway are encrypted too. The traffic may look encrypted in everyday use while quietly accepting a weaker handshake from any client that asks for one.

This is a compliance and trust issue, not a cost one. It is the kind of gap that fails an audit, surfaces in an enterprise security review, and becomes a headline if exploited. The fix is free and fast.

The leadership question is not what it costs. It is why the latest standard was not the default, and how the company ensures every new endpoint launches compliant so this category stays empty. It is a governance and defaults signal more than a security emergency.

A short read for the leader who wants the one-line risk framing and the one question to ask. You will get what the findings mean in plain terms, why a free fix sitting open is itself the story, and what good looks like: every public endpoint on the current encryption standard, enforced automatically, with stale findings closed inside a defined window.

Fun fact

The handshake that quietly steps down, and the private path that lulls you to sleep

When every public endpoint uses the current standard, end to end

The leadership team did not learn this from an incident; they learned it from a customer security review that stalled a deal. The reviewer asked, by name, whether the company's public API and search endpoints enforced a current TLS policy and whether the connections behind the gateway were encrypted. The honest answer was that HTTPS was on everywhere but several domains still accepted a weaker handshake from any client that asked, and one private integration forwarded to its backend in clear text because a VPC Link had been mistaken for encryption.

The response was to stop treating each TLS finding as a separate small chore and to set one standard: every public endpoint on the current encryption standard, enforced automatically, with stale findings closed inside a defined window. Because the fix is free and fast, leadership had almost nothing to weigh on cost, the only real decision was why the latest standard was not the default at creation in the first place. The signal at the review is no longer the finding count but whether the secure standard is wired into how endpoints are provisioned, so the category stays empty without anyone chasing it. A control that reopens every quarter is read as a defaults gap that almost certainly exists elsewhere too.

Why this is on the report at all

The findings themselves are small and cheap to fix. They are on the report because they touch PCI and NIST data-in-transit requirements, which means they can affect audit results, customer security reviews and contractual commitments, the things that gate deals and attestations, not the things that drive cost.

The signal worth attention is whether they keep coming back. A one-time fix is housekeeping. A control that reopens every quarter means new systems are launching on outdated or incomplete defaults, and that same gap almost certainly exists in other areas that are harder to fix. The leadership move is to make the secure standard the default at creation so this category stays empty without anyone having to chase it.

The leadership move on this category

The handle for an executive is not to direct the configuration changes, but to set the standard at creation so the category stays empty and to read a recurring finding as the defaults signal it is.

1. Make the latest standard the default at creation

Set the TLS policy and backend-encryption properties in the CloudFormation, Terraform or CDK modules so every new endpoint launches compliant, and back it with AWS Config rules or Service Control Policies to catch drift. This is what turns a recurring finding into a one-time event; the cleanup loop only stays empty if new endpoints arrive already on the current standard rather than the old default.

2. Close stale findings inside a defined window

The fix is free and fast, so there is no reason for a TLS finding to sit open through an audit. Require that these findings are closed inside a defined remediation window rather than carried, because an open medium-severity transport-encryption finding is exactly the kind of concrete exception an auditor or an enterprise security reviewer writes up at the worst moment in a sales cycle.

3. Read a recurring finding as a defaults gap, not housekeeping

A one-time fix is housekeeping; a control that reopens every quarter means new systems are launching on outdated or incomplete defaults, and that same gap almost certainly exists in other areas that are harder to fix. The leadership move is to treat recurrence as the early warning it is and make the secure standard the default, rather than chasing the same free finding each cycle.

Quick quiz

Question 1 of 5

Why are these TLS findings on the compliance report at all, given the fix is small and cheap?

Keep learning

Go deeper on TLS policy and backend encryption across the API and search surface.

Two takeaways. This is a compliance and trust issue, not a budget one: the fix is free and fast, so an open finding is a missed default rather than a hard call. And the metric that matters is not a one-off zero count but whether the latest TLS standard is the default at creation, with stale findings closed inside a defined window, because a control that reopens every quarter is an early warning that secure-by-default is not wired into how infrastructure gets created.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

APIGateway

ES

ES.8 Medium ES should use latest TLS policy

Opensearch

Opensearch.8 Medium OpenSearch should use latest TLS policy

Part of the learning path Encrypt everything

Enforce TLS on APIs and search domains

TLS on APIs and search: the basics

The handshake that quietly steps down, and the private path that lulls you to sleep

Finding weak and unencrypted endpoints across an estate

How the API and search TLS controls workdeep dive

What is the impact of a weak or unencrypted endpoint?

How do you enforce TLS on APIs and search safely?

1. Inventory every domain, integration and stage

2. Confirm no legacy client depends on the weak setting

3. Raise the policy and encrypt the backend hop

4. Make the latest standard the provisioning default

Quick quiz

Keep learning

TLS on APIs and search: the cost and risk view

The handshake that quietly steps down, and the private path that lulls you to sleep

How a finance partner reads a free fix that is still open

Why this matters to compliance, not the budget

What finance can actually do about this

1. Treat it as a tracking item with an SLA, not a cost line

2. Tie the exposure to audit and sales, not to the bill

3. Fund the durable lever, which is governance not cleanup

Quick quiz

Keep learning

TLS on APIs and search: the headline

The handshake that quietly steps down, and the private path that lulls you to sleep

When every public endpoint uses the current standard, end to end

Why this is on the report at all

The leadership move on this category

1. Make the latest standard the default at creation

2. Close stale findings inside a defined window

3. Read a recurring finding as a defaults gap, not housekeeping

Quick quiz

Keep learning

Controls this lesson covers

APIGateway

ES

Opensearch

Related compliance lessons