apigateway: More DomainName security policy options for TLS 1.3

[skairunner]

Describe the feature

The docs here currently note that the only two supported policies are TLS_1_2 and TLS_1_0. These are considered "legacy security policies" (according to the docs here) and we are directed to use a policy that starts with SecurityPolicy_, such as SecurityPolicy_TLS13_1_3_2025_09.

At least in the Python CDK, the current definition of SecurityPolicy prevents using an arbitrary value:

# code
domain_name_options = apigateway.DomainNameOptions(
            certificate=certificate,
            domain_name=domain_name,
            security_policy=apigateway.SecurityPolicy("SecurityPolicy_TLS13_1_3_2025_09")
        )
# result
ValueError: 'SecurityPolicy_TLS13_1_3_2025_09' is not a valid SecurityPolicy

Use Case

I want to use TLS 1.3 for my custom domain names.

Proposed Solution

It would be nice if the enum was expanded to include at least some of the security policies available, or at least update the security_policy parameter to let you provide an arbitrary value.

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

AWS CDK Library version (aws-cdk-lib)

2.231.0

AWS CDK CLI version

2.1033.0

Environment details (OS name and version, etc.)

Mac OS version 26.1

[pahud]

Hi @skairunner,

Thank you for raising this issue. This is a valid feature request - the current SecurityPolicy enum only includes the legacy TLS 1.0 and TLS 1.2 options, while AWS now recommends using newer TLS 1.3 security policies as documented in the API Gateway custom domain TLS documentation.

Solution:
We should add the newer TLS 1.3 security policy values to the enum. A PR would need to:

1. Add new enum values to SecurityPolicy for the supported TLS 1.3 policies
2. Update documentation

I'll submit an immediate PR for this.