Home › Forums › AWS › AWS Certified Security – Specialty › API Gateway SSL question erratum
-
API Gateway SSL question erratum
-
Q: A data security company is experimenting on various security features that they can implement on their Elastic Load Balancers such as Server Order Preference, Predefined Security Policy, Perfect Forward Secrecy, and many others. The company is planning to use the Perfect Forward Secrecy feature to provide additional safeguards to their architecture against the eavesdropping of encrypted data through the use of a unique random session key. This feature also prevents the decoding of captured data, even if the secret long-term key is compromised.
Which AWS services can offer SSL/TLS cipher suites for Perfect Forward Secrecy?
A (indicated as incorrect): Amazon API Gateway and AWS Lambda
Amazon API Gateway and AWS Lambda are incorrect since these services do not use Perfect Forward Secrecy. SSL/TLS is commonly used when you have sensitive data traveling through the public network.
————-
API Gateway (including Lambda integrations) does support SSL including perfect forward secrecy, therefore this answer is also correct.
“The APIs created with Amazon API Gateway expose HTTPS endpoints only. API Gateway doesn’t support unencrypted (HTTP) endpoints. For greater security, you can choose a minimum Transport Layer Security (TLS) protocol version to be enforced for your API Gateway custom domain. You can choose either a TLS version 1.2 or TLS version 1.0 security policy.”
Source: https://docs.aws.amazon.com/apigateway/latest/developerguide/data-protection-encryption.html
Log in to reply.