如何使用 AWS CloudFormation 在 AWS API Gateway 上应用安全策略?
[英]How to apply Security Policy on AWS API Gateway using AWS CloudFormation?
问题描述
I have a simple cloudformation template which is creating a Custom Domain for an API Gateway,
我有一个简单的 cloudformation 模板,它正在为 API 网关创建自定义域,
The template is able to create the Custom domain.该模板能够创建自定义域。
But I cannot find the cloudformation property to set the Custom Domain Security Policy to TLS 1.2 ,但是我找不到将Custom Domain Security Policy为TLS 1.2的 cloudformation 属性,
The template creates a custom domain with the default TLS 1.0 Security Policy该模板使用默认的TLS 1.0 Security Policy创建自定义域
Template -模板 -
AWSTemplateFormatVersion: 2010-09-09
Transform: 'AWS::Serverless-2016-10-31'
Description: Test Custom Domain
Resources:
test:
Type: AWS::ApiGateway::DomainName
Properties:
CertificateArn: !Sub 'arn:aws:acm:${AWS::Region}:${AWS::AccountId}:certificate/xxxx-xxx-xxx-xxxx-xxxx'
DomainName: 'test-api.example.com'
EndpointConfiguration:
Types:
- 'EDGE'
Reference -参考 -
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html
2 个解决方案
解决方案1
3 已采纳 2019-09-04 06:25:05
This parameter is unfortunately not yet exposed though CloudFormation.遗憾的是,此参数尚未通过 CloudFormation 公开。
There is a ticket here tracking its progression - https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/3这里有一张跟踪其进展的票 - https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/3
For now, your best bet would be to create a custom CloudFormation resource.目前,最好的办法是创建自定义 CloudFormation 资源。
This parameter is exposed via the API and can be used by (at least some of) their SDKs - https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/apigateway.html#APIGateway.Client.create_domain_name此参数通过 API 公开,并且可以由(至少部分)他们的 SDK 使用 - https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/apigateway.html#APIGateway.Client .create_domain_name
Here are the docs which talk about how how to create customer resources - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html以下是讨论如何创建客户资源的文档 - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html
解决方案2
2 2020-02-13 23:17:05
Support for specifying the Security Policy on an API Gateway domain was added in July 2020. Documentation for how to add this parameter to a CloudFormation Template is provided on AWS Docs . 2020 年 7 月添加了对在 API 网关域上指定安全策略的支持。 AWS Docs上提供了有关如何将此参数添加到 CloudFormation 模板的文档。 Valid values for Security Policy are TLS_1_0 or TLS_1_2 .安全策略的有效值为TLS_1_0或TLS_1_2 。 Example below:下面的例子:
ApiCustomDomainName:
Type: 'AWS::ApiGateway::DomainName'
Condition: ApiGatewayEnabled
Properties:
DomainName: "example.com"
RegionalCertificateArn: !Ref CertificateArn
securityPolicy: "TLS_1_2"
EndpointConfiguration:
Types:
- REGIONAL
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.