Feature Request: Support SecurityPolicy and EndpointAccessMode in AWS::Serverless::Api

[jth08527]

Description

On Nov 19th, 2025, API Gateway added new endpoint security capabilities, including updated TLS policies and strict endpoint access modes. These features are documented here:

🔗 https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-security-policies.html

CloudFormation supports these features through the AWS::ApiGateway::RestApi properties SecurityPolicy and EndpointAccessMode. However, AWS SAM currently does not expose these properties in AWS::Serverless::Api.

As a result, deployments fail when APIs use modern security policies. SAM manages EndpointConfiguration but cannot include the required SecurityPolicy, leading to errors such as:

Unable to update EndpointType. SecurityPolicy is required for EndpointType update.

This has forced me to stop using AWS::Serverless::Api and instead define raw CloudFormation resources for RestApi, Stage, and Deployment.

Request

Add support for the following properties to AWS::Serverless::Api:

SecurityPolicy: SecurityPolicy_TLS13_1_3_FIPS_2025_09
EndpointAccessMode: STRICT

These should map directly to the corresponding CloudFormation fields on AWS::ApiGateway::RestApi.

List of supported security policies for the different endpoint types:

🔗 https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-security-policies-list.html

For EndpointAccessMode, the only supported values currently are STRICT and BASIC.

Why this matters

This would allow users to continue using newer and more secure policies, while still allowing use of the much simpler AWS::Serverless::Api abstraction.

[dougsyer]

having same issue here. unfortunately it was my first time working with SAM and it cost me a bunch of time due to not having experience. I just realized i need to use the cloud formation syntax.

[jth08527]

@iph and @bnusunny thank you both for working on PR #3872.

I see that this was merge and closed some time ago, and I had hoped it would be included in the release that followed a few days later. I hate to be that guy, but any idea when this will be released? My orgs InfoSec team would like me to enforce a higher TLS version and I would prefer to not have to create some mechanism outside of SAM or CloudFormation to do this.

Any hint as to when this might drop would be appreciated, but I also understand if you can't.

[reedham-aws]

Hello @jth08527, this should be released in the next version of SAM coming the week of 2026-03-16. Thank you for bringing this back to our attention!

[jth08527]

Hello @reedham-aws, thank you very much for the update!

[wandora58]

Hi @reedham-aws, I tried with the latest version and confirmed that SecurityPolicy is now supported, but EndpointAccessMode is not yet supported.

$ sam build
..
Error: [InvalidResourceException('MyApi', 'property EndpointAccessMode not defined for resource of type AWS::Serverless::Api')] ('MyApi', 'property EndpointAccessMode not defined for resource of type AWS::Serverless::Api')

I've created a PR to add support for it. I'd appreciate it if you could take a look. Thanks!

[rowanu]

Keen on this feature!

[reedham-aws]

#3898 which added EndpointAccessMode was just merged. It will be at least 10 days before it is released, but I will keep this thread updated when it is. Sorry for the delay!