EndpointAccessMode

class aws_cdk.aws_apigateway.EndpointAccessMode(*values)

Bases: Enum

The endpoint access mode for the domain name.

When using enhanced security policies (those starting with SecurityPolicy_), you must set the endpoint access mode to either STRICT or BASIC. Use STRICT for production workloads requiring the highest security. Use BASIC for migration scenarios or certain application architectures.

See:

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-security-policies.html#apigateway-security-policies-endpoint-access-mode

ExampleMetadata:

infused

Example:

# acm_certificate_for_example_com: Any


# For regional or private APIs with enhanced security policy
apigateway.DomainName(self, "custom-domain-tls13",
    domain_name="example.com",
    certificate=acm_certificate_for_example_com,
    security_policy=apigateway.SecurityPolicy.TLS13_1_3_2025_09,  # TLS 1.3
    endpoint_access_mode=apigateway.EndpointAccessMode.STRICT
)

# For edge-optimized APIs with enhanced security policy
apigateway.DomainName(self, "custom-domain-edge-tls13",
    domain_name="example.com",
    certificate=acm_certificate_for_example_com,
    endpoint_type=apigateway.EndpointType.EDGE,
    security_policy=apigateway.SecurityPolicy.TLS13_2025_EDGE,  # Enhanced security policy for edge
    endpoint_access_mode=apigateway.EndpointAccessMode.STRICT
)

Attributes

BASIC

Basic mode - one of the two valid endpoint access modes for enhanced security policies.

Suitable for migration scenarios or certain application architectures. Note: legacy security policies (TLS_1_0, TLS_1_2) do not use this attribute.

STRICT

Strict mode - only accepts connections from clients using the specified security policy.

Recommended for production workloads.