From 3de444a4ef9bbf9b0f2228efafffb875172c46ab Mon Sep 17 00:00:00 2001
From: Arthur Frade de Araujo <arthur4raujo@gmail.com>
Date: Wed, 25 Feb 2026 12:06:50 -0300
Subject: [PATCH 1/2] feat(api-gateway): SecurityPolicy support

---
 .../events/api-gateway/lib/rest-api.js        |  6 ++++
 lib/plugins/aws/provider.js                   |  3 ++
 .../events/api-gateway/lib/rest-api.test.js   | 28 +++++++++++++++++++
 3 files changed, 37 insertions(+)

diff --git a/lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.js b/lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.js
index 894fca97e..08463742f 100644
--- a/lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.js
+++ b/lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.js
@@ -17,10 +17,15 @@ module.exports = {
     let endpointType = 'EDGE';
     let vpcEndpointIds;
     let BinaryMediaTypes;
+    let SecurityPolicy;
     if (apiGateway.binaryMediaTypes) {
       BinaryMediaTypes = apiGateway.binaryMediaTypes;
     }
 
+    if (apiGateway.securityPolicy) {
+      SecurityPolicy = apiGateway.securityPolicy;
+    }
+
     if (this.serverless.service.provider.endpointType) {
       endpointType = this.serverless.service.provider.endpointType.toUpperCase();
 
@@ -52,6 +57,7 @@ module.exports = {
       BinaryMediaTypes,
       DisableExecuteApiEndpoint,
       EndpointConfiguration,
+      SecurityPolicy
     };
 
     // Tags
diff --git a/lib/plugins/aws/provider.js b/lib/plugins/aws/provider.js
index 2bb29e701..63c2ca584 100644
--- a/lib/plugins/aws/provider.js
+++ b/lib/plugins/aws/provider.js
@@ -848,6 +848,9 @@ class AwsProvider {
                   type: 'array',
                   items: { type: 'string', pattern: '^\\S+\\/\\S+$' },
                 },
+                securityPolicy: {
+                  type: 'string'
+                },
                 description: { type: 'string' },
                 disableDefaultEndpoint: { type: 'boolean' },
                 metrics: { type: 'boolean' },
diff --git a/test/unit/lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.test.js b/test/unit/lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.test.js
index c8b0fe418..9d1f0931d 100644
--- a/test/unit/lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.test.js
+++ b/test/unit/lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.test.js
@@ -51,6 +51,30 @@ describe('#compileRestApi()', () => {
         EndpointConfiguration: {
           Types: ['EDGE'],
         },
+        SecurityPolicy: undefined,
+        Policy: '',
+      },
+    });
+  });
+
+  it('should create a REST API resource with security policy', () => {
+    awsCompileApigEvents.serverless.service.provider.apiGateway = {
+      securityPolicy: 'SecurityPolicy_TLS13_1_3_2025_09'
+    }
+    awsCompileApigEvents.compileRestApi();
+    const resources =
+      awsCompileApigEvents.serverless.service.provider.compiledCloudFormationTemplate.Resources;
+
+    expect(resources.ApiGatewayRestApi).to.deep.equal({
+      Type: 'AWS::ApiGateway::RestApi',
+      Properties: {
+        BinaryMediaTypes: undefined,
+        DisableExecuteApiEndpoint: undefined,
+        Name: 'dev-new-service',
+        EndpointConfiguration: {
+          Types: ['EDGE'],
+        },
+        SecurityPolicy: 'SecurityPolicy_TLS13_1_3_2025_09',
         Policy: '',
       },
     });
@@ -75,6 +99,7 @@ describe('#compileRestApi()', () => {
         EndpointConfiguration: {
           Types: ['EDGE'],
         },
+        SecurityPolicy: undefined,
         Policy: '',
         Tags: [
           { Key: 'tagKey1', Value: 'tagValue1' },
@@ -113,6 +138,7 @@ describe('#compileRestApi()', () => {
         EndpointConfiguration: {
           Types: ['EDGE'],
         },
+        SecurityPolicy: undefined,
         Policy: {
           Version: '2012-10-17',
           Statement: [
@@ -148,6 +174,7 @@ describe('#compileRestApi()', () => {
           Types: ['EDGE'],
         },
         Policy: '',
+        SecurityPolicy: undefined,
       },
     });
   });
@@ -181,6 +208,7 @@ describe('#compileRestApi()', () => {
         },
         Name: 'dev-new-service',
         Policy: '',
+        SecurityPolicy: undefined,
       },
     });
   });

From e78c1bcfbaf88f1ca4369ad48a226a2d80178f8c Mon Sep 17 00:00:00 2001
From: Arthur Frade de Araujo <arthur4raujo@gmail.com>
Date: Wed, 25 Feb 2026 14:46:42 -0300
Subject: [PATCH 2/2] style(api-gateway): SecurityPolicy support

---
 .../resources/api-gateway-cloud-watch-role/handler.js        | 5 +----
 .../aws/package/compile/events/api-gateway/lib/rest-api.js   | 2 +-
 lib/plugins/aws/provider.js                                  | 2 +-
 .../package/compile/events/api-gateway/lib/rest-api.test.js  | 4 ++--
 4 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/lib/plugins/aws/custom-resources/resources/api-gateway-cloud-watch-role/handler.js b/lib/plugins/aws/custom-resources/resources/api-gateway-cloud-watch-role/handler.js
index 972471766..d2d253392 100644
--- a/lib/plugins/aws/custom-resources/resources/api-gateway-cloud-watch-role/handler.js
+++ b/lib/plugins/aws/custom-resources/resources/api-gateway-cloud-watch-role/handler.js
@@ -58,10 +58,7 @@ async function create(event, context) {
         return (await iam.send(new ListAttachedRolePoliciesCommand({ RoleName: roleName })))
           .AttachedPolicies;
       } catch (error) {
-        if (
-          error.code === 'NoSuchEntity' ||
-          error.message.includes('cannot be found')
-        ) {
+        if (error.code === 'NoSuchEntity' || error.message.includes('cannot be found')) {
           // Role doesn't exist yet, create;
           await iam.send(
             new CreateRoleCommand({
diff --git a/lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.js b/lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.js
index 08463742f..4668c974c 100644
--- a/lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.js
+++ b/lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.js
@@ -57,7 +57,7 @@ module.exports = {
       BinaryMediaTypes,
       DisableExecuteApiEndpoint,
       EndpointConfiguration,
-      SecurityPolicy
+      SecurityPolicy,
     };
 
     // Tags
diff --git a/lib/plugins/aws/provider.js b/lib/plugins/aws/provider.js
index 63c2ca584..eb69f86b0 100644
--- a/lib/plugins/aws/provider.js
+++ b/lib/plugins/aws/provider.js
@@ -849,7 +849,7 @@ class AwsProvider {
                   items: { type: 'string', pattern: '^\\S+\\/\\S+$' },
                 },
                 securityPolicy: {
-                  type: 'string'
+                  type: 'string',
                 },
                 description: { type: 'string' },
                 disableDefaultEndpoint: { type: 'boolean' },
diff --git a/test/unit/lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.test.js b/test/unit/lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.test.js
index 9d1f0931d..118a75fac 100644
--- a/test/unit/lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.test.js
+++ b/test/unit/lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.test.js
@@ -59,8 +59,8 @@ describe('#compileRestApi()', () => {
 
   it('should create a REST API resource with security policy', () => {
     awsCompileApigEvents.serverless.service.provider.apiGateway = {
-      securityPolicy: 'SecurityPolicy_TLS13_1_3_2025_09'
-    }
+      securityPolicy: 'SecurityPolicy_TLS13_1_3_2025_09',
+    };
     awsCompileApigEvents.compileRestApi();
     const resources =
       awsCompileApigEvents.serverless.service.provider.compiledCloudFormationTemplate.Resources;