Specify Security Policy option for API Gateway

[akowalsk]

Recently, AWS added support for configuring TLS policies for API Gateway: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-security-policies.html?icmpid=apigateway_console_help

I would like to configure this using osls. The Cloudformation spec for this is here:

https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-restapi.html

If I attempt to add configure this by doing this:

provider:
  name: aws
  endpointType: regional
  securityPolicy: SecurityPolicy_TLS13_1_3_2025_09

I get an error

Warning: Invalid configuration encountered
  at 'provider': unrecognized property 'securityPolicy'

Can this be added as an allowed property?

[jbsilva]

I'd really like to see this implemented too.

For reference, the following are posts AWS made in their blog and newsletter:

• https://aws.amazon.com/blogs/compute/enhancing-api-security-with-amazon-api-gateway-tls-security-policies/
• https://aws.amazon.com/about-aws/whats-new/2025/11/amazon-api-gateway-tls-security-rest-apis/

And this is how it's configured in Serverless v4: https://www.serverless.com/framework/docs/providers/aws/events/apigateway#security-policy

provider:
  name: aws
  apiGateway:
    endpoint:
      securityPolicy: SecurityPolicy_TLS13_2025_EDGE  # Recommended: Use TLS 1.2 or higher
      accessMode: basic       # Optional: Set endpoint access mode (basic or strict)
      disable: false          # Optional: Disable the default execute-api endpoint