Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS API Gateway MTLS client auth

Everytime I searched for Mutual Auth over SSL for AWS API Gateway I can only find MTLS between AWS API Gateway and Backend Services. But I'm looking to secure my AWS API Gateway endpoints itself with MTLS (client auth).

For instance, I have a backed service QueryCustomer which I have proxied through AWS API Gateway. Now I can put an SSL Cert on API Gateway but it's usual 1-way SSL. What I want to achieve is to have an MTLS with client auth where the consumer of APIs from AWS API Gateway first have to exchange their public certificates which we configure on the AWS truststores and AWS public certificates will be stored on API consumer end as well.

Now during the handshake as with other API Gateways and application servers should there be a property which says something like this AWS API Gateway endpoint 'requires client auth' so that only if API consumer's public cert is in API Gateway truststore should be authenticated to access the endpoint, otherwise just throw normal SSL handshake error.

Can someone advise if this is achievable on AWS API Gateway?

like image 247
Shoaib Khan Avatar asked Aug 02 '17 09:08

Shoaib Khan


People also ask

Does mTLS provide authorization?

The authorization server can pick up the certificate from the mTLS handshake performed between the client (calling the server or API) and the Token Service and then use that to authorize the client.

What is mTLS AWS?

Mutual Transport Layer Security (mTLS) is an extension of TLS, where both the client and server leverage X. 509 digital certificates to authenticate each other before starting communications. Both parties present certificates to each other and validate the other's certificate.

How do I add a client certificate to AWS API gateway?

Generate a client certificate using the API Gateway consoleOpen the API Gateway console at https://console.aws.amazon.com/apigateway/ . Choose a REST API. In the main navigation pane, choose Client Certificates. From the Client Certificates pane, choose Generate Client Certificate.

Does API gateway support TLS?

A security policy is a predefined combination of minimum TLS version and cipher suite offered by Amazon API Gateway. You can choose either a TLS version 1.2 or TLS version 1.0 security policy. The TLS protocol addresses network security problems such as tampering and eavesdropping between a client and server.


1 Answers

This is not currently available from API Gateway, but we have had requests from multiple customers for this feature. Unfortunately, I can't comment on ETA or availability.

like image 149
jackko Avatar answered Sep 28 '22 16:09

jackko