Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS API Gateway MTLS client auth

Tags:

ssl

amazon-web-services

aws-api-gateway

ssl-client-authentication

Everytime I searched for Mutual Auth over SSL for AWS API Gateway I can only find MTLS between AWS API Gateway and Backend Services. But I'm looking to secure my AWS API Gateway endpoints itself with MTLS (client auth).

For instance, I have a backed service QueryCustomer which I have proxied through AWS API Gateway. Now I can put an SSL Cert on API Gateway but it's usual 1-way SSL. What I want to achieve is to have an MTLS with client auth where the consumer of APIs from AWS API Gateway first have to exchange their public certificates which we configure on the AWS truststores and AWS public certificates will be stored on API consumer end as well.

Now during the handshake as with other API Gateways and application servers should there be a property which says something like this AWS API Gateway endpoint 'requires client auth' so that only if API consumer's public cert is in API Gateway truststore should be authenticated to access the endpoint, otherwise just throw normal SSL handshake error.

Can someone advise if this is achievable on AWS API Gateway?

like image 247
Shoaib Khan Avatar asked Aug 02 '17 09:08

Shoaib Khan

People also ask

Does mTLS provide authorization?

The authorization server can pick up the certificate from the mTLS handshake performed between the client (calling the server or API) and the Token Service and then use that to authorize the client.

What is mTLS AWS?

Mutual Transport Layer Security (mTLS) is an extension of TLS, where both the client and server leverage X. 509 digital certificates to authenticate each other before starting communications. Both parties present certificates to each other and validate the other's certificate.

How do I add a client certificate to AWS API gateway?

Generate a client certificate using the API Gateway consoleOpen the API Gateway console at https://console.aws.amazon.com/apigateway/ . Choose a REST API. In the main navigation pane, choose Client Certificates. From the Client Certificates pane, choose Generate Client Certificate.

Does API gateway support TLS?

A security policy is a predefined combination of minimum TLS version and cipher suite offered by Amazon API Gateway. You can choose either a TLS version 1.2 or TLS version 1.0 security policy. The TLS protocol addresses network security problems such as tampering and eavesdropping between a client and server.

1 Answers

This is not currently available from API Gateway, but we have had requests from multiple customers for this feature. Unfortunately, I can't comment on ETA or availability.

like image 149
jackko Avatar answered Sep 28 '22 16:09

jackko
Sign in to Comment

Related questions

Elastic Beanstalk CloudWatch Log streaming stops working – How to debug
Access AWS athena through JPA spring boot
Let only registered users download from my Amazon S3 bucket
Celery connection drop with AWS ELB and RabbitMQ
Using AWS Cognito can I resolve the authenticated IdentityId given a disabled unauthenticated IdentityId?
Private cloud GPU virtualization similar to Amazon Web Services Cluster GPU instances
django-admin.py and python path on EC2 Amazon Beanstalk
Exception with Table identified via AWS Glue Crawler and stored in Data Catalog
AWS Lambda SQS Trigger Throttle/Limit
AWS Lambda@Edge not logging
AWS RDS MySQL Read Replica Lag Issues
Any way to find out my Amazon Product API Limits
Unable To Connect To Amazon AWS Instance Using Java SSH
How to access user's email address in Cognito Federated Identities?
xrdp ubuntu aws missing text
How to programmatically list all aws resources and tags [closed]
Custom filtering on subscription in AWS AppSync
How to name an Auto Scaling Group in a CloudFormation template?
Read parquet data from AWS s3 bucket
How can add/verify dynamically domains and email addresses to amazon SES?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!