Have a look at this answer (the one highlighted in blue, with upvotes) https://repost.aws/questions/QUyfwlTpWySFKSl3HDZMc4Fg/end-of-support-of-tls1-0-1-1-for-api-gateway-endpoints-with-aws-domains#ANDJ43fZ59Sim--kj6LMiLAA
The deprecation of TLS 1.0 and 1.1 is only for AWS endpoints .... AWS in not deprecating the use of TLS 1.0 and 1.1 on customer-created endpoints - that is: your endpoints that you have created in API Gateway .... in this case your API endpoints in API Gateway will continue to operate past June 2023.
I agree that the blog post that you linked to is very easy to misunderstand on this point.
Hi, I would say it depends. Not all the AWS endpoints were not affected by https://docs.aws.amazon.com/cognito/latest/developerguide/infrastructure-security.html, https://aws.amazon.com/jp/blogs/security/tls-1-2-required-for-aws-endpoints/ since july 2023. For example Cognito:
But worked for AWS Secrets Manager, it was updated and uses 1.2 and 1.3 only.
FISP endpoints can be used, to be sure that TLS 1.2 is in use:
At any rate it can be work around by CloudFront (https://aws.amazon.com/blogs/security/protect-public-clients-for-amazon-cognito-by-using-an-amazon-cloudfront-proxy/) as CloudFront has an option to enforce security https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html and uses TLS v1.2.
- Accepted Answerasked 4 months ago
- AWS OFFICIALUpdated a year ago
- How can I configure a custom domain endpoint for multiple API Gateway APIs behind a CloudFront web distribution?AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
- EXPERTpublished 2 days ago