Feature Request: Support SecurityPolicy and EndpointAccessMode in AWS::Serverless::Api #3866
Description
Description
On Nov 19th, 2025, API Gateway added new endpoint security capabilities, including updated TLS policies and strict endpoint access modes. These features are documented here:
🔗 https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-security-policies.html
CloudFormation supports these features through the AWS::ApiGateway::RestApi properties SecurityPolicy and EndpointAccessMode. However, AWS SAM currently does not expose these properties in AWS::Serverless::Api.
As a result, deployments fail when APIs use modern security policies. SAM manages EndpointConfiguration but cannot include the required SecurityPolicy, leading to errors such as:
Unable to update EndpointType. SecurityPolicy is required for EndpointType update.
This has forced me to stop using AWS::Serverless::Api and instead define raw CloudFormation resources for RestApi, Stage, and Deployment.
Request
Add support for the following properties to AWS::Serverless::Api:
SecurityPolicy: SecurityPolicy_TLS13_1_3_FIPS_2025_09
EndpointAccessMode: STRICTThese should map directly to the corresponding CloudFormation fields on AWS::ApiGateway::RestApi.
List of supported security policies for the different endpoint types:
🔗 https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-security-policies-list.html
For EndpointAccessMode, the only supported values currently are STRICT and BASIC.
Why this matters
This would allow users to continue using newer and more secure policies, while still allowing use of the much simpler AWS::Serverless::Api abstraction.