Supported TLS protocols and ciphers for WebSocket APIs OpenSSL and RFC cipher names Information about REST APIs and HTTP APIs

Security policy for WebSocket APIs in API Gateway

API Gateway enforces a security policy of TLS_1_2 for all WebSocket API endpoints.

A security policy is a predefined combination of minimum TLS version and cipher suites offered by Amazon API Gateway. The TLS protocol addresses network security problems such as tampering and eavesdropping between a client and server. When your clients establish a TLS handshake to your API through the custom domain, the security policy enforces the TLS version and cipher suite options your clients can choose to use. This security policy accepts TLS 1.2 and TLS 1.3 traffic and rejects TLS 1.0 traffic.

Supported TLS protocols and ciphers for WebSocket APIs

The following table describes the supported TLS protocols and ciphers for WebSocket APIs.

Security policy	TLS_1_2
TLS protocols
TLSv1.3	♦
TLSv1.2	♦
TLS ciphers
TLS_AES_128_GCM_SHA256	♦
TLS_AES_256_GCM_SHA384	♦
TLS_CHACHA20_POLY1305_SHA256	♦
ECDHE-ECDSA-AES128-GCM-SHA256	♦
ECDHE-RSA-AES128-GCM-SHA256	♦
ECDHE-ECDSA-AES128-SHA256	♦
ECDHE-RSA-AES128-SHA256	♦
ECDHE-ECDSA-AES256-GCM-SHA384	♦
ECDHE-RSA-AES256-GCM-SHA384	♦
ECDHE-ECDSA-AES256-SHA384	♦
ECDHE-RSA-AES256-SHA384	♦
AES128-GCM-SHA256	♦
AES128-SHA256	♦
AES256-GCM-SHA384	♦
AES256-SHA256	♦

OpenSSL and RFC cipher names

OpenSSL and IETF RFC 5246, use different names for the same ciphers. For a list of the cipher names, see OpenSSL and RFC cipher names.

Information about REST APIs and HTTP APIs

For more information about REST APIs and HTTP APIs, see Choose a security policy for your REST API custom domain in API Gateway and Security policy for HTTP APIs in API Gateway.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Deploy a WebSocket API

Custom domain names