Mutual Authentication (2-way SSL) in AWS Lambda

Question

I am building an AWS Lambda service for a small PoC. The flow in PoC is :

• take a (text) input via POST,
• performs a small string manipulation +
• store the manipulated value into DynamoDB, and then
• send the same (manipulated) value to a particular URL via HTTP POST

Seems like a simple lambda tutorial example, but the tricky part for me was the authorization. The URL that I have to POST to only allows requests that are mutually authenticated via a SSL cert. How can I achieve this in Lambda ?

I could not find enough answers to make this work. I looked at using the AWS API gateway 2-way ssl cert option. However, For that to work, I need to install the receiving part cert into cert store. Is the even possible ? Or the only way is to use a micro-EC2 box ?

At Lambda, I am okay to use Node.JS, Java, or Python.

Answer 1

How to implement mutual TLS in AWS Lambda?

First big applause for Hakky54 for this good tutorial on mutual TLS. https://github.com/Hakky54/mutual-tls-ssl

I followed his tutorial to understand and implement MTLS for AWS Lambdas. You can also test your implementation locally before deploying to AWS by just running the spring-boot app which saves a lot of time.

Steps (all commands are documented on the above link)

1. Export server cert and import it to client trust store
2. Load your client key store and trust store, I saved both in s3 bucket
3. Create TLS Context

SSLContext sslContext = SSLContexts.custom()
    .loadKeyMaterial(keyStore, stores.getKeyStorePassword().toCharArray())
    .loadTrustMaterialtrustStore, (X509Certificate[] chain, String authType) -> true)
    .build();

4. Create a new Jersey client

Client client = ClientBuilder.newBuilder()   
    .withConfig(new ClientConfig())    
    .sslContext(sslContext.get())   
    .trustStore(trustStore)
    .keyStore(keyStore, keyStorePassword)   
    .build();

5. Make the call to the API

client.target(endpoint).get();

I am storing my keystore credentials in parameter store.