Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a server

• GG_ID: GG_IAC_0030
• Severity: HIGH
• Complexity: LOW
• Categories: NETWORK
• Providers: AWS
• Potential data exposure: True
• Visible in logs: False
• User interaction required: True
• Privileges required: False

Description

Outdated TLS policies (version 1.0 and 1.1) rely on insecure cipher suites (SHA-1 and MD5), and are subject to a range of well known attack. Note that TLS 1.0 and 1.1 have been deprecated on March 25, 2021.

Allowing such policies can allow attacker to break the encryption, decrypt the traffic, and perform man-in-the-middle attacks.

Impact

• Data or credential leakage.
• Man-in-the-middle attacks.

Remediation guidelines

Choose TLS 1.2 as the security policy for the API Gateway domain name configuration.

External documentation

• Choosing a minimum TLS version for a custom domain in API Gateway
• AWS API Gateway terraform configuration
• Deprecating TLS 1.0 and TLS 1.1 (IETF RFC 8996)
• Why It’s Dangerous to Use Outdated TLS Security Protocols (blog post)