I have a problem with the implementation of an API Gateway on AWS with Mutual TLS authentication,
I have a custom domain attached to the API Gateway, the instance is configured with load balancer nginx,
custom domain ex: app.sandbox.domain.com
the mutual TLS function on the custom domain
but when I go through the environment url
environment url ex: http://app-sandbox.us-east-1.elasticbeanstalk.com/
mutual TLS authentication does not apply.
You should disable the default endpoint on the API GW - only if it's an HTTP API. This will force mTLS for requests to the endpoint.
Related
Here's my scenario: I am trying to set up the AWS API Gateway so that all calls to the API Gateway endpoints will be forwarded to an Nginx HTTPS server behind it:
HTTPS HTTPS HTTPS plain HTTP
[Client] ------> {{Internet}} -----> [AWS API Gateway] -----> [HTTPS server] ----------> [Internal web services]
Only the HTTPS server can access the internal web services inside a private network. The HTTPS server itself is publicly accessible on the Internet, as is the AWS API Gateway.
Now, the SSL certificate I installed on the HTTPS server is a private one, signed by a private CA I created.
See my AWS API Gateway config here
When the AWS API Gateway tries to forward an HTTPS request to the HTTPS server, via an HTTPS endpoint URL pointing to the server, the AWS API Gateway gets an error:
"Execution failed due to configuration error: General SSLEngine problem"
Perhaps this is because the AWS API Gateway does not recognize my private CA. If so, how do I import my private CA to the AWS API Gateway for this usage?
Edit: My intent here is that the AWS API Gateway will have to authenticate to the HTTPS server using the API Gateway's client certificates.
You cannot use self-signed certificates with API Gateway. If your API Gateway is only meant to be speaking to your server then take a look at using certbot on your local EC2 instance.
Alternatively if you want to add more security, you could perform the following actions.
Migrate the EC2 instance into a private subnet.
Either import or create a new certificate via ACM.
Create an internal network load balancer with a TLS listener, using the certificate you've got setup in ACM.
Create a VPCLink so that your API Gateway can access your internal NLB.
I want to secure a REST API with mutual authentication on AWS. This means, only clients with a specific client certificate should be able to access the API. What is the best way to secure a REST API on AWS with mutual authentication?
I know, there is client certificate support for API Gateway, but this is not what I am looking for. As far as I understand, this only authenticates Api Gateway against backend and is not able to authenticate clients to Api gateway.
Is Api Gateway, Load balancer or any other AWS product able to do mutual authentication to secure a rest API or do I need to implement this by my own?
You'll have to do this on your servers.
None of the services that terminate TLS and forward requests or connections to your app tier -- Elastic Load Balancers (Classic, Application, and Network), CloudFront, or API Gateway -- support TLS mutual auth.
Of course, a Network Load Balancer without TLS termination or a Classic Load Balancer in TCP mode will pass-through your payload, whatever it is, so either of these can be used in front of your servers, but the servers will need to handle all the TLS.
Also, your conclusion is correct that API Gateway's client certificates are not what you are looking for. They work as you described them.
As of 17th September, 2020, support for Mutual Authentication using TLS is available on AWS API Gateway: https://aws.amazon.com/about-aws/whats-new/2020/09/amazon-api-gateway-supports-mutual-tls-authentication/ . It can be used to authenticate clients calling an API on API Gateway.
My client has an already developed (and frozen) web service which is being secured with self signed certificate. I have configured AWS API gateway to get rid of CORS issue. When I try to call any endpoint of the web service via AWS API gateway, I find HTTP 500 Internal Server error. Until the client web service is made secured with self signed certificate, HTTP based endpoints were accessible via AWS API gateway.
What are ways to still call the web service endpoints?
API Gateway will fail on self signed certificates for http(s) backend integrations.
If you use the test functionality on the API GW you will see a error in the logs that it gives on the right about either a SSL Engine Problem or Bad Certificate.
If your backend is already in AWS and fronted by a load balancer you can think of using free certificates from ACM.
Or you can consider using a NLB that the API gateway can talk to, using the NLB you can have your backend apis' in a VPC and have no public access and still have API GW talk to them.
Edit: For some reason I am not able to link correctly. Here are some links on ACM and NLB.
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html
https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
I need to make a secure HTTP callout from Salesforce (using Apex) to AWS Lambda and I build my first version using AWS API Gateway. I realized I can get a client certificate from API Gateway (.crt) but this looks like it is only for AWS backend and is not meant to be for the HTTP request sent to API Gateway. What are my alternatives to establish a secure connection from outside AWS (Salesforce) to a Lambda function?
So far I've found this, which is a disappointing dead-end for now.
Like the link you posted says, API Gateway does not currently support MTLS. Other options for you to add security to the calls at the moment are:
IAM permissions, and here.
API Gateway custom authorizers.
Cognito User Pools.
If you need a custom domain associated with the API Gateway:
Go to Route53 and add your domain (new Hosted Zone), if you haven't done it already.
On AWS Certificate Manager, import or request a certificat for the custom domain you intend to use in your API Gateway endpoints.
Open the API Gateway dashboard and go to "Custom Domain Names". Click "Create a custom domain name" and, in the option "ACM Certificate (region)", select the certificate you generated/imported in item 2 above.
That's it, now you should be able to trigger your Lambda functions using API Gateway from a secure connection (HTTPS). Please note that, if you do this, API Gateway will refuse connections over insecure HTTP protocol.
Everytime I searched for Mutual Auth over SSL for AWS API Gateway I can only find MTLS between AWS API Gateway and Backend Services. But I'm looking to secure my AWS API Gateway endpoints itself with MTLS (client auth).
For instance, I have a backed service QueryCustomer which I have proxied through AWS API Gateway. Now I can put an SSL Cert on API Gateway but it's usual 1-way SSL. What I want to achieve is to have an MTLS with client auth where the consumer of APIs from AWS API Gateway first have to exchange their public certificates which we configure on the AWS truststores and AWS public certificates will be stored on API consumer end as well.
Now during the handshake as with other API Gateways and application servers should there be a property which says something like this AWS API Gateway endpoint 'requires client auth' so that only if API consumer's public cert is in API Gateway truststore should be authenticated to access the endpoint, otherwise just throw normal SSL handshake error.
Can someone advise if this is achievable on AWS API Gateway?
This is not currently available from API Gateway, but we have had requests from multiple customers for this feature. Unfortunately, I can't comment on ETA or availability.
23 September 2020
AWS now supports mutual TLS
https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-mutual-tls.html
Also we can now disable the execute-api-endpoint.
aws apigatewayv2 update-api \
--api-id abcdef123 \
--disable-execute-api-endpoint
To use mutual TLS, create a truststore of X.509 certificates that you trust to access your API. The certificates can be from public or private certificate authorities. Certificates can have a maximum chain length of four. You can also provide self-signed certificates. The following are supported:
SHA-256 or stronger
RSA-2048 or stronger
ECDSA-256 or stronger
API Gateway validates a number of certificate properties. You can use Lambda authorizers to perform additional checks when a client invokes an API, including checking if a certificate has been revoked. API Gateway validates the following certificate properties:
Validation Description
X.509 syntax
The certificate must meet X.509 syntax requirements.
Integrity
The certificate's content must not have been altered from that signed by the certificate authority from the truststore.
Validity
The certificate's validity period must be current.
Name chaining / key chaining
The names and subjects of certificates must form an unbroken chain. Certificates can have a maximum chain length of four.