Bug: Add support for EndpointAccessMode in AWS::ApiGateway::DomainName & AWS::ApiGateway::DomainNameV2 #8465
Description
Description:
When running sam validate --lint on a SAM template with an AWS::ApiGateway::DomainName or AWS::ApiGateway::DomainNameV2 resource configured with a Security Policy set to SecurityPolicy_TLS13_1_2_FIPS_PQ_2025_09 one has to add EndpointAccessMode: STRICT in order for CloudFormation to successfully deploy.
The problem is sam validate --lint says the template has an E3002: Resource properties are invalid.
Works fine when doing cfn-lint on same template using v1.42.0.
Short term workaround was to add E3002 to ignore_checks.
Steps to reproduce:
Create a template that include an API
ApiGateway:
Type: AWS::Serverless::Api
Properties:
...
ApiDomain:
Type: AWS::ApiGateway::DomainName
Properties:
DomainName: x.y.com
RegionalCertificateArn: !GetAtt Cert.Arn
EndpointConfiguration:
Types:
- REGIONAL
SecurityPolicy: SecurityPolicy_TLS13_1_2_FIPS_PQ_2025_09
EndpointAccessMode: STRICT
Observed result:
[[E3002: Resource properties are invalid] (Additional properties are not allowed ('EndpointAccessMode' was unexpected)) matched 293] Error: Linting failed. At least one linting rule was matched to the provided template.
Expected result:
template.yaml is a valid SAM Template
Additional environment details (Ex: Windows, Mac, Amazon Linux etc)
- OS: macOS-26.1-arm64-arm-64bit-Mach-O
sam --version: 1.149.0- AWS region: eu-west-1
- cfn-lint version installed: 1.42.0
Paste the output of sam --info here
{
"version": "1.149.0",
"system": {
"python": "3.13.9",
"os": "macOS-26.1-arm64-arm-64bit-Mach-O"
},
"additional_dependencies": {
"container_engine": "Docker(v29.0.1)",
"aws_cdk": "Not available",
"terraform": "1.12.2"
},
"available_beta_feature_env_vars": [
"SAM_CLI_BETA_FEATURES",
"SAM_CLI_BETA_BUILD_PERFORMANCE",
"SAM_CLI_BETA_TERRAFORM_SUPPORT",
"SAM_CLI_BETA_PACKAGE_PERFORMANCE",
"SAM_CLI_BETA_RUST_CARGO_LAMBDA"
]
}