

本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 支援的安全政策
<a name="apigateway-security-policies-list"></a>

下表說明可為每個 REST API 端點類型和自訂網域名稱類型指定的[安全政策](apigateway-security-policies.md)。這些政策可讓您控制傳入連線。API Gateway 僅支援輸出的 TLS 1.2。您可以隨時更新 API 或自訂網域名稱的安全政策。

標題`FIPS`中包含 的政策與聯邦資訊處理標準 (FIPS) 相容，這是美國和加拿大政府標準，可指定保護敏感資訊之密碼編譯模組的安全要求。若要進一步了解，請參閱*AWS 雲端安全合規*頁面上的[聯邦資訊處理標準 (FIPS) 140](https://aws.amazon.com/compliance/fips/)。

所有 FIPS 政策都會利用 AWS-LC FIPS 驗證的密碼編譯模組。若要進一步了解，請參閱 NIST [ 密碼編譯模組驗證計劃網站上的 AWS-LC](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4631) 密碼編譯模組頁面。 **

標題`PQ`中包含 的政策使用[後量子密碼編譯 (PQC)](https://aws.amazon.com/security/post-quantum-cryptography/) 實作 TLS 的混合金鑰交換演算法，以確保流量對未來量子運算威脅的機密性。

標題`PFS`中包含 的政策使用 [Perfect Forward Secrecy (PFS)](https://en.wikipedia.org/wiki/Forward_secrecy) 來確保工作階段金鑰不會洩露。

在其標題`PQ`中同時包含 `FIPS`和 的政策支援這兩種功能。

## 預設安全政策
<a name="apigateway-security-policies-default"></a>

當您建立新的 REST API 或自訂網域時，資源會獲指派預設的安全政策。下表顯示這些資源的預設安全政策。


| **Resource** | **預設安全政策名稱** | 
| --- | --- | 
| 區域 API | TLS\_1\_0 | 
| 邊緣最佳化的 API | TLS\_1\_0 | 
| 私有 API | TLS\_1\_2 | 
| 區域網域 | TLS\_1\_2 | 
| Edge 最佳化網域 | TLS\_1\_2 | 
| 私有網域 | TLS\_1\_2 | 

## 區域和私有 APIs和自訂網域名稱支援的安全政策
<a name="apigateway-security-policies-non-edge"></a>

下表說明可為區域和私有 APIs 以及自訂網域名稱指定的安全政策：


| **安全政策** | **支援的 TLS 版本** | **支援的密碼** | 
| --- | --- | --- | 
| SecurityPolicy\_TLS13\_1\_3\_2025\_09 | TLS1.3 |  [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| SecurityPolicy\_TLS13\_1\_3\_FIPS\_2025\_09 | TLS1.3 |  [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| SecurityPolicy\_TLS13\_1\_2\_FIPS\_PFS\_PQ\_2025\_09 | TLS1.3<br />TLS1.2 |  [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html) [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| SecurityPolicy\_TLS13\_1\_2\_PFS\_PQ\_2025\_09 | TLS1.3<br />TLS1.2 |  [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html) [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| SecurityPolicy\_TLS13\_1\_2\_PQ\_2025\_09 | TLS1.3<br />TLS1.2 |  [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html) [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| SecurityPolicy\_TLS13\_1\_2\_2021\_06 | TLS1.3<br />TLS1.2 |  [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html) [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| TLS\_1\_2 | TLS1.3<br />TLS1.2 |  [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html) [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| TLS\_1\_0 | TLS1.3<br />TLS1.2<br />TLS1.1<br />TLS1.0 |  [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html) [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 

## 邊緣最佳化 APIs 和自訂網域名稱支援的安全政策
<a name="apigateway-security-policies-edge-optimized"></a>

下表說明可針對邊緣最佳化 APIs 和邊緣最佳化自訂網域名稱指定的安全政策：


| **安全政策名稱** | **支援的 TLS 版本** | **支援的密碼** | 
| --- | --- | --- | 
| SecurityPolicy\_TLS13\_2025\_EDGE | TLS1.3 |  [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| SecurityPolicy\_TLS12\_PFS\_2025\_EDGE | TLS1.3<br />TLS1.2 |  [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html) [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| SecurityPolicy\_TLS12\_2018\_EDGE | TLS1.3<br />TLS1.2 |  [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html) [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 
| TLS\_1\_0 | TLS1.3<br />TLS1.2<br />TLS1.1<br />TLS1.0 |  [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html) [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/apigateway/latest/developerguide/apigateway-security-policies-list.html)  | 

## OpenSSL 和 RFC 密碼名稱
<a name="apigateway-secure-connections-openssl-rfc-cipher-names"></a>

OpenSSL 和 IETF RFC 5246 使用相同密碼的不同名稱。下表將 OpenSSL 名稱對應到每個密碼的 RFC 名稱。如需詳細資訊，請參閱 OpenSSL 文件中的[加密](https://docs.openssl.org/1.1.1/man1/ciphers/)。


| **OpenSSL 和密碼名稱** | **RFC 密碼名稱** | 
| --- | --- | 
| TLS\_AES\_128\_GCM\_SHA256 | TLS\_AES\_128\_GCM\_SHA256 | 
| TLS\_AES\_256\_GCM\_SHA384 | TLS\_AES\_256\_GCM\_SHA384 | 
| TLS\_CHACHA20\_POLY1305\_SHA256 | TLS\_CHACHA20\_POLY1305\_SHA256 | 
| ECDHE-RSA-AES128-GCM-SHA256 | TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | 
| ECDHE-RSA-AES128-SHA256 | TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256  | 
| ECDHE-RSA-AES128-SHA | TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA | 
| ECDHE-RSA-AES256-GCM-SHA384 | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384  | 
| ECDHE-RSA-AES256-SHA384 | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384  | 
| ECDHE-RSA-AES256-SHA | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA | 
| AES128-GCM-SHA256 | TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | 
| AES256-GCM-SHA384 | TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384 | 
| AES128-SHA256 | TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256 | 
| AES256-SHA | TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA | 
| AES128-SHA | TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA | 
| DES-CBC3-SHA | TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA | 