# 支持的安全策略
下表介绍了可为每种 REST API 端点类型和自定义域名类型指定的[安全策略](apigateway-security-policies.md)。这些策略允许您控制传入连接。API Gateway 仅支持对出站流量使用 TLS 1.2。您可以随时更新 API 或自定义域名的安全策略。
标题中包含 `FIPS` 的策略符合联邦信息处理标准(FIPS),该标准是美国和加拿大政府标准,规定了对保护敏感信息的加密模块的安全要求。要了解更多信息,请参阅 *AWS Cloud 安全性合规性*页面上的[美国联邦信息处理标准(FIPS)140](https://aws.amazon.com/compliance/fips/)。
所有 FIPS 策略均利用 AWS-LC FIPS 验证的加密模块。要了解更多信息,请参阅 *NIST Cryptographic Module Validation Program* 网站上的 [AWS-LC Cryptographic Module](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4631) 页面。
标题中包含 `PQ` 的策略使用[后量子密码术(PQC)](https://aws.amazon.com/security/post-quantum-cryptography/)来实现 TLS 的混合密钥交换算法,以保障流量机密性,抵御未来量子计算带来的安全威胁。
标题中包含 `PFS` 的策略使用[完全正向保密(PFS)](https://en.wikipedia.org/wiki/Forward_secrecy)来确保会话密钥不会泄露。
标题中同时包含 `FIPS` 和 `PQ` 的策略将支持这两项功能。
## 默认安全策略
当您创建新的 REST API 或自定义域时,系统会为该资源分配默认安全策略。下表显示这些资源的默认安全策略。
| **资源**: | **默认安全策略名称** |
| --- | --- |
| 区域 API | TLS\$11\$10 |
| 边缘优化的 API | TLS\$11\$10 |
| 私有 API | TLS\$11\$12 |
| 区域域 | TLS\$11\$12 |
| 边缘优化型域名 | TLS\$11\$12 |
| 私有域 | TLS\$11\$12 |
## 区域和私有 API 以及自定义域名支持的安全策略
下表介绍了可为区域和私有 API 以及自定义域名指定的安全策略:
| **安全策略** | **支持的 TLS 版本** | **支持的密码** |
| --- | --- | --- |
| SecurityPolicy\$1TLS13\$11\$13\$12025\$109 | TLS1.3 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/apigateway/latest/developerguide/apigateway-security-policies-list.html) |
| SecurityPolicy\$1TLS13\$11\$13\$1FIPS\$12025\$109 | TLS1.3 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/apigateway/latest/developerguide/apigateway-security-policies-list.html) |
| SecurityPolicy\$1TLS13\$11\$12\$1PFS\$1PQ\$12025\$109 | TLS1.3 TLS1.2 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/apigateway/latest/developerguide/apigateway-security-policies-list.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/apigateway/latest/developerguide/apigateway-security-policies-list.html) |
| SecurityPolicy\$1TLS13\$11\$12\$1PQ\$12025\$109 | TLS1.3 TLS1.2 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/apigateway/latest/developerguide/apigateway-security-policies-list.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/apigateway/latest/developerguide/apigateway-security-policies-list.html) |
| TLS\$11\$12 | TLS1.3 TLS1.2 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/apigateway/latest/developerguide/apigateway-security-policies-list.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/apigateway/latest/developerguide/apigateway-security-policies-list.html) |
| TLS\$11\$10 | TLS1.3 TLS1.2 TLS1.1 TLS1.0 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/apigateway/latest/developerguide/apigateway-security-policies-list.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/apigateway/latest/developerguide/apigateway-security-policies-list.html) |
## 边缘优化型 API 和自定义域名支持的安全策略
下表介绍了可为边缘优化型 API 和边缘优化型自定义域名指定的安全策略:
| **安全策略名称** | **支持的 TLS 版本** | **支持的密码** |
| --- | --- | --- |
| SecurityPolicy\$1TLS13\$12025\$1EDGE | TLS1.3 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/apigateway/latest/developerguide/apigateway-security-policies-list.html) |
| SecurityPolicy\$1TLS12\$1PFS\$12025\$1EDGE | TLS1.3 TLS1.2 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/apigateway/latest/developerguide/apigateway-security-policies-list.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/apigateway/latest/developerguide/apigateway-security-policies-list.html) |
| SecurityPolicy\$1TLS12\$12018\$1EDGE | TLS1.3 TLS1.2 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/apigateway/latest/developerguide/apigateway-security-policies-list.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/apigateway/latest/developerguide/apigateway-security-policies-list.html) |
| TLS\$11\$10 | TLS1.3 TLS1.2 TLS1.1 TLS1.0 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/apigateway/latest/developerguide/apigateway-security-policies-list.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/apigateway/latest/developerguide/apigateway-security-policies-list.html) |
## OpenSSL 和 RFC 密码名称
OpenSSL 和 IETF RFC 5246 为相同的密码使用不同的名称。下表为每个密码列出了 OpenSSL 名称及对应的 RFC 名称。有关更多信息,请参阅 OpenSSL 文档中的 [ciphers](https://docs.openssl.org/1.1.1/man1/ciphers/)。
| **OpenSSL 密码名称** | **RFC 密码名称** |
| --- | --- |
| TLS\$1AES\$1128\$1GCM\$1SHA256 | TLS\$1AES\$1128\$1GCM\$1SHA256 |
| TLS\$1AES\$1256\$1GCM\$1SHA384 | TLS\$1AES\$1256\$1GCM\$1SHA384 |
| TLS\$1CHACHA20\$1POLY1305\$1SHA256 | TLS\$1CHACHA20\$1POLY1305\$1SHA256 |
| ECDHE-RSA-AES128- GCM-SHA256 | TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 |
| ECDHE-RSA-AES128-SHA256 | TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 |
| ECDHE-RSA-AES128-SHA | TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA |
| ECDHE-RSA-AES256- GCM-SHA384 | TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 |
| ECDHE-RSA-AES256-SHA384 | TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384 |
| ECDHE-RSA-AES256-SHA | TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA |
| AES128-GCM-SHA256 | TLS\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 |
| AES256-GCM-SHA384 | TLS\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 |
| AES128-SHA256 | TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 |
| AES256-SHA | TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA |
| AES128-SHA | TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA |
| DES-CBC3-SHA | TLS\$1RSA\$1WITH\$13DES\$1EDE\$1CBC\$1SHA |