本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 支援的安全政策
<a name="apigateway-security-policies-list"></a>

下表說明可為每個 REST API 端點類型和自訂網域名稱類型指定的[安全政策](apigateway-security-policies.md)。這些政策可讓您控制傳入連線。API Gateway 僅支援輸出的 TLS 1.2。您可以隨時更新 API 或自訂網域名稱的安全政策。

標題`FIPS`中包含 的政策與聯邦資訊處理標準 (FIPS) 相容，這是美國和加拿大政府標準，可指定保護敏感資訊之密碼編譯模組的安全要求。若要進一步了解，請參閱*AWS 雲端安全合規*頁面上的[聯邦資訊處理標準 (FIPS) 140](https://aws.amazon.com/compliance/fips/)。

所有 FIPS 政策都會利用 AWS-LC FIPS 驗證的密碼編譯模組。若要進一步了解，請參閱 NIST [ 密碼編譯模組驗證計劃網站上的 AWS-LC](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4631) 密碼編譯模組頁面。 **

標題`PQ`中包含 的政策使用[後量子密碼編譯 (PQC)](https://aws.amazon.com/security/post-quantum-cryptography/) 實作 TLS 的混合金鑰交換演算法，以確保流量對未來量子運算威脅的機密性。

標題`PFS`中包含 的政策會使用 [Perfect Forward Secrecy (PFS)](https://en.wikipedia.org/wiki/Forward_secrecy)，以確保工作階段金鑰不會洩露。

在其標題`PQ`中同時包含 `FIPS`和 的政策支援這兩種功能。

## 預設安全政策
<a name="apigateway-security-policies-default"></a>

當您建立新的 REST API 或自訂網域時，資源會獲指派預設的安全政策。下表顯示這些資源的預設安全政策。


| **Resource** | **預設安全政策名稱** | 
| --- | --- | 
| 區域 API | TLS\$11\$10 | 
| 邊緣最佳化的 API | TLS\$11\$10 | 
| 私有 API | TLS\$11\$12 | 
| 區域網域 | TLS\$11\$12 | 
| Edge 最佳化網域 | TLS\$11\$12 | 
| 私有網域 | TLS\$11\$12 | 

## 區域和私有 APIs以及自訂網域名稱支援的安全政策
<a name="apigateway-security-policies-non-edge"></a>

下表說明可為區域和私有 APIs 以及自訂網域名稱指定的安全政策：


| **安全政策** | **支援的 TLS 版本** | **支援的加密** | 
| --- | --- | --- | 
| SecurityPolicy\$1TLS13\$11\$13\$12025\$109 | TLS1.3 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| SecurityPolicy\$1TLS13\$11\$13\$1FIPS\$12025\$109 | TLS1.3 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| SecurityPolicy\$1TLS13\$11\$12\$1FIPS\$1PFS\$1PQ\$12025\$109 | TLS1.3 TLS1.2 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| SecurityPolicy\$1TLS13\$11\$12\$1PFS\$1PQ\$12025\$109 | TLS1.3 TLS1.2 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| SecurityPolicy\$1TLS13\$11\$12\$1PQ\$12025\$109 | TLS1.3 TLS1.2 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| SecurityPolicy\$1TLS13\$11\$12\$12021\$106 | TLS1.3 TLS1.2 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| TLS\$11\$12 | TLS1.3 TLS1.2 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| TLS\$11\$10 |  TLS1.3 TLS1.2 TLS1.1 TLS1.0  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 

## 邊緣最佳化 APIs 和自訂網域名稱支援的安全政策
<a name="apigateway-security-policies-edge-optimized"></a>

下表說明可針對邊緣最佳化 APIs 和邊緣最佳化自訂網域名稱指定的安全政策：


| **安全政策名稱** | **支援的 TLS 版本** | **支援的密碼** | 
| --- | --- | --- | 
| SecurityPolicy\$1TLS13\$12025\$1EDGE | TLS1.3 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| SecurityPolicy\$1TLS12\$1PFS\$12025\$1EDGE |  TLS1.3 TLS1.2  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| SecurityPolicy\$1TLS12\$12018\$1EDGE |  TLS1.3 TLS1.2  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| TLS\$11\$10 |  TLS1.3 TLS1.2 TLS1.1 TLS1.0  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 

## OpenSSL 和 RFC 密碼名稱
<a name="apigateway-secure-connections-openssl-rfc-cipher-names"></a>

OpenSSL 和 IETF RFC 5246 使用相同密碼的不同名稱。下表將 OpenSSL 名稱對應到每個密碼的 RFC 名稱。如需詳細資訊，請參閱 OpenSSL 文件中的[加密](https://docs.openssl.org/1.1.1/man1/ciphers/)。


| **OpenSSL 和密碼名稱** | **RFC 密碼名稱** | 
| --- | --- | 
| TLS\$1AES\$1128\$1GCM\$1SHA256 | TLS\$1AES\$1128\$1GCM\$1SHA256 | 
| TLS\$1AES\$1256\$1GCM\$1SHA384 | TLS\$1AES\$1256\$1GCM\$1SHA384 | 
| TLS\$1CHACHA20\$1POLY1305\$1SHA256 | TLS\$1CHACHA20\$1POLY1305\$1SHA256 | 
| ECDHE-RSA-AES128-GCM-SHA256 | TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | 
| ECDHE-RSA-AES128-SHA256 | TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256  | 
| ECDHE-RSA-AES128-SHA | TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | 
| ECDHE-RSA-AES256-GCM-SHA384 | TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384  | 
| ECDHE-RSA-AES256-SHA384 | TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384  | 
| ECDHE-RSA-AES256-SHA | TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | 
| AES128-GCM-SHA256 | TLS\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | 
| AES256-GCM-SHA384 | TLS\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | 
| AES128-SHA256 | TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | 
| AES256-SHA | TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | 
| AES128-SHA | TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | 
| DES-CBC3-SHA | TLS\$1RSA\$1WITH\$13DES\$1EDE\$1CBC\$1SHA |