== How to fix it in AWS CDK

=== Code examples

==== Noncompliant code example

[source,javascript,diff-id=1,diff-type=noncompliant]
----
import { aws_apigateway as agw } from 'aws-cdk-lib';
new agw.DomainName(this, 'Example', {
    certificate: certificate,
    domainName: domainName,
    securityPolicy: agw.SecurityPolicy.TLS_1_0, // Noncompliant
});
----

The resource `CfnDomain` uses a weak TLS security policy, by default.

[source,javascript,diff-id=2,diff-type=noncompliant]
----
import { aws_opensearchservice as os } from 'aws-cdk-lib';

new os.CfnDomain(this, 'Example', {
  domainEndpointOptions: {
    enforceHttps: true,
  },
}); // Noncompliant
----

==== Compliant solution

[source,javascript,diff-id=1,diff-type=compliant]
----
import { aws_apigateway as agw } from 'aws-cdk-lib';
new agw.DomainName(this, 'Example', {
    certificate: certificate,
    domainName: domainName,
    securityPolicy: agw.SecurityPolicy.TLS_1_2,
});
----

[source,javascript,diff-id=2,diff-type=compliant]
----
import { aws_opensearchservice as os } from 'aws-cdk-lib';

new os.CfnDomain(this, 'Example', {
  domainEndpointOptions: {
    enforceHttps: true,
    tlsSecurityPolicy: 'Policy-Min-TLS-1-2-2019-07',
  },
});
----

=== How does this work?

include::../../common/fix/fix.adoc[]