Skip to content

feat(rest-api): SecurityPolicy & EndpointAccessMode support #144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
afa4 wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat(rest-api): SecurityPolicy & EndpointAccessMode support #144

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3de444a
feat(api-gateway): SecurityPolicy support
afa4 Feb 25, 2026
e78c1bc
style(api-gateway): SecurityPolicy support
afa4 Feb 25, 2026
e7ee966
feat(api-gateway): EndpointAccessMode support
afa4 Apr 7, 2026
9bf439b
fix: definitions
afa4 Apr 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions docs/events/apigateway.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -739,6 +739,43 @@ provider:
- vpce-456
```

### Security Policy

You can configure the TLS version for your API Gateway REST API by setting the `securityPolicy` property under `apiGateway` in the `provider` block. This maps directly to the [SecurityPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-securitypolicy) property of the `AWS::ApiGateway::RestApi` CloudFormation resource.
Specific explanation about Security Policy types and structure can be found [here](https://aws.amazon.com/blogs/compute/enhancing-api-security-with-amazon-api-gateway-tls-security-policies/)

```yml
service: my-service
provider:
name: aws
apiGateway:
securityPolicy: TLS_1_2
functions:
hello:
events:
- http:
path: user/create
method: get
```

### Endpoint Access Mode

You can control how clients access your API Gateway endpoint by setting the `endpointAccessMode` property under `apiGateway` in the `provider` block. Valid values are `STRICT` and `BASIC`. This maps directly to the [EndpointAccessMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-endpointaccessmode) property of the `AWS::ApiGateway::RestApi` CloudFormation resource. According to AWS documentation, if a security policy is configured with a legacy template (that doesn't have the `SecurityPolicy_` prefix) access Mode should be empty)

```yml
service: my-service
provider:
name: aws
apiGateway:
endpointAccessMode: STRICT
functions:
hello:
events:
- http:
path: user/create
method: get
```

### Request Parameters

To pass optional and required parameters to your functions, so you can use them in API Gateway tests and SDK generation, marking them as `true` will make them required, `false` will make them optional.
Expand Down
5 changes: 1 addition & 4 deletions lib/plugins/aws/custom-resources/resources/api-gateway-cloud-watch-role/handler.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,10 +58,7 @@ async function create(event, context) {
return (await iam.send(new ListAttachedRolePoliciesCommand({ RoleName: roleName })))
.AttachedPolicies;
} catch (error) {
if (
error.code === 'NoSuchEntity' ||
error.message.includes('cannot be found')
) {
if (error.code === 'NoSuchEntity' || error.message.includes('cannot be found')) {
// Role doesn't exist yet, create;
await iam.send(
new CreateRoleCommand({
Expand Down
12 changes: 12 additions & 0 deletions lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,20 @@ module.exports = {
let endpointType = 'EDGE';
let vpcEndpointIds;
let BinaryMediaTypes;
let SecurityPolicy;
let EndpointAccessMode;
if (apiGateway.binaryMediaTypes) {
BinaryMediaTypes = apiGateway.binaryMediaTypes;
}

if (apiGateway.securityPolicy) {
SecurityPolicy = apiGateway.securityPolicy;
}

if (apiGateway.endpointAccessMode) {
EndpointAccessMode = apiGateway.endpointAccessMode.toUpperCase();
}

if (this.serverless.service.provider.endpointType) {
endpointType = this.serverless.service.provider.endpointType.toUpperCase();

Expand Down Expand Up @@ -52,6 +62,8 @@ module.exports = {
BinaryMediaTypes,
DisableExecuteApiEndpoint,
EndpointConfiguration,
SecurityPolicy,
EndpointAccessMode,
};

// Tags
Expand Down
6 changes: 6 additions & 0 deletions lib/plugins/aws/provider.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -848,6 +848,12 @@ class AwsProvider {
type: 'array',
items: { type: 'string', pattern: '^\\S+\\/\\S+$' },
},
securityPolicy: {
type: 'string',
},
endpointAccessMode: {
anyOf: ['strict', 'basic', ''].map(caseInsensitive),
},
description: { type: 'string' },
disableDefaultEndpoint: { type: 'boolean' },
metrics: { type: 'boolean' },
Expand Down
58 changes: 58 additions & 0 deletions test/unit/lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,56 @@ describe('#compileRestApi()', () => {
EndpointConfiguration: {
Types: ['EDGE'],
},
SecurityPolicy: undefined,
EndpointAccessMode: undefined,
Policy: '',
},
});
});

it('should create a REST API resource with security policy', () => {
awsCompileApigEvents.serverless.service.provider.apiGateway = {
securityPolicy: 'SecurityPolicy_TLS13_1_3_2025_09',
};
awsCompileApigEvents.compileRestApi();
const resources =
awsCompileApigEvents.serverless.service.provider.compiledCloudFormationTemplate.Resources;

expect(resources.ApiGatewayRestApi).to.deep.equal({
Type: 'AWS::ApiGateway::RestApi',
Properties: {
BinaryMediaTypes: undefined,
DisableExecuteApiEndpoint: undefined,
Name: 'dev-new-service',
EndpointConfiguration: {
Types: ['EDGE'],
},
SecurityPolicy: 'SecurityPolicy_TLS13_1_3_2025_09',
EndpointAccessMode: undefined,
Policy: '',
},
});
});

it('should create a REST API resource with endpoint access mode', () => {
awsCompileApigEvents.serverless.service.provider.apiGateway = {
endpointAccessMode: 'STRICT',
};
awsCompileApigEvents.compileRestApi();
const resources =
awsCompileApigEvents.serverless.service.provider.compiledCloudFormationTemplate.Resources;

expect(resources.ApiGatewayRestApi).to.deep.equal({
Type: 'AWS::ApiGateway::RestApi',
Properties: {
BinaryMediaTypes: undefined,
DisableExecuteApiEndpoint: undefined,
Name: 'dev-new-service',
EndpointConfiguration: {
Types: ['EDGE'],
},
SecurityPolicy: undefined,
EndpointAccessMode: 'STRICT',
Policy: '',
},
});
Expand All @@ -75,6 +125,8 @@ describe('#compileRestApi()', () => {
EndpointConfiguration: {
Types: ['EDGE'],
},
SecurityPolicy: undefined,
EndpointAccessMode: undefined,
Policy: '',
Tags: [
{ Key: 'tagKey1', Value: 'tagValue1' },
Expand Down Expand Up @@ -113,6 +165,8 @@ describe('#compileRestApi()', () => {
EndpointConfiguration: {
Types: ['EDGE'],
},
SecurityPolicy: undefined,
EndpointAccessMode: undefined,
Policy: {
Version: '2012-10-17',
Statement: [
Expand Down Expand Up @@ -148,6 +202,8 @@ describe('#compileRestApi()', () => {
Types: ['EDGE'],
},
Policy: '',
SecurityPolicy: undefined,
EndpointAccessMode: undefined,
},
});
});
Expand Down Expand Up @@ -181,6 +237,8 @@ describe('#compileRestApi()', () => {
},
Name: 'dev-new-service',
Policy: '',
SecurityPolicy: undefined,
EndpointAccessMode: undefined,
},
});
});
Expand Down
Loading