In AWS API Gateway, how to restrict HTTPS ciphers to those that provide Perfect Forward Secrecy?

Question

We want to use API Gateway and we want Perfect Forward Secrecy (https://en.wikipedia.org/wiki/Forward_secrecy).

One way to achieve this is to limit the ciphers available when connection over HTTPS/TLS1.2 to those that are based on Diffie Hellman (i.e. not allow RSA). Is there a way to limit the ciphers in API gateway?

Alternatively, is there a way to configure API gateway such that it doesn't terminate HTTPS, but rather forward it to an AWS load balancer (since AWS load balancers do support limiting the cipher suite)?

My research indicates API Gateway does allow HTTPS connections with ciphers that don't support Perfect Forward Secrecy).

Thanks!

Answer 1

Is there a way to limit the ciphers in API gateway?

To my knowledge, no. API Gateway appears to be backed by CloudFront, which also does not allow TLS cipher-suite configuration.

Alternatively, is there a way to configure API gateway such that it doesn't terminate HTTPS, but rather forward it to an AWS load balancer

No, it cannot do TCP passthrough.

My research indicates API Gateway does allow HTTPS connections with ciphers that don't support Perfect Forward Secrecy

Yes. Not all browsers / user agents support ephemeral keys and API Gateway needs to support all of them (though that list is getting smaller-and-smaller as old things disappear).

API Gateway is configured to prefer using ciphers suites that support ECDHE, so if the browser / user agent supports ECDHE, it will more than likely be used.

If you absolutely must limit the support to cipher suites that offer FS, then you will either need to find a solution other than API Gateway, or put a reverse proxy in front of API Gateway that ensures FS is used, and figure out a way to limit the API gateway to only accept connections from the reverse proxy.