Overview and prerequisites Configuration Steps Verification Security Considerations

Enhanced TLS Security

This section provides guidance on configuring custom domains to enhance TLS security for the API Gateway endpoint.

Overview and prerequisites

By default, the API Gateway URL uses AWS-managed TLS configuration that allows TLS 1.0 and above. For enhanced security, you can configure a custom domain with stronger TLS requirements.

Before you begin:

Ensure you own or control a domain name
Obtain an SSL/TLS certificate for your domain (from AWS Certificate Manager or imported)
Verify you have permissions to update DNS records for your domain
Plan for a maintenance window, as this change may briefly impact API accessibility

Configuration Steps

Follow the AWS documentation to Choose a security policy for your REST API custom domain in API Gateway.

After setting up the custom domain, complete the MCS-specific configuration:

Navigate to the S3 bucket containing your MCS frontend configuration
Locate the runtime configuration file
Update the API endpoint URL to use your custom domain
Invalidate the CloudFront cache to ensure the new configuration is used

Verification

After completing the configuration:

Test the custom domain endpoint to ensure it’s accessible
Verify TLS version using a tool like SSL Labs or openssl:
```
openssl s_client -connect your-custom-domain:443
```

Security Considerations

While the original API Gateway URL remains accessible, ensure your application only uses the custom domain endpoint
Regular certificate rotation and renewal should be part of your maintenance procedures
Monitor certificate expiration dates in AWS Certificate Manager

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Password rotation

Monitoring the solution