I'm new to AWS API gateway.We are trying to connect backend service which is outside AWS using mutual TLS from API gateway.
Is this possible using AWS API gateway.If so ,can you please let me know how can we achieve this?
Mutual authentication is not supported by API Gateway. You can setup authentication for your backend using client-side certificates.
https://forums.aws.amazon.com/thread.jspa?threadID=297461
Related
We need to provide static IPs to our API GW using HTTP API GW - and not REST API GW. 🎯
It's a tricky process, but here is a good resource about it from AWS official docs.
The problem is there are only a few articles about it, and it seems that is not possible by using HTTP API GW, and only by using REST API GW. 😞
Suggestions?
From the AWS Support team reply:
As you have correctly indicated, this can be configured for an API Gateway REST API by making use of AWS Global Accelerator [1]. However, this would unfortunately not be possible for an API Gateway HTTP API. The closest recommendation that I can make to achieve your use-case would be to possibly use an EC2 instance or a proxy service where you can configure a static IP and then forward the requests to your HTTP API.
As #Marcin has commented.
I have a problem with the implementation of an API Gateway on AWS with Mutual TLS authentication,
I have a custom domain attached to the API Gateway, the instance is configured with load balancer nginx,
custom domain ex: app.sandbox.domain.com
the mutual TLS function on the custom domain
but when I go through the environment url
environment url ex: http://app-sandbox.us-east-1.elasticbeanstalk.com/
mutual TLS authentication does not apply.
You should disable the default endpoint on the API GW - only if it's an HTTP API. This will force mTLS for requests to the endpoint.
I want to secure a REST API with mutual authentication on AWS. This means, only clients with a specific client certificate should be able to access the API. What is the best way to secure a REST API on AWS with mutual authentication?
I know, there is client certificate support for API Gateway, but this is not what I am looking for. As far as I understand, this only authenticates Api Gateway against backend and is not able to authenticate clients to Api gateway.
Is Api Gateway, Load balancer or any other AWS product able to do mutual authentication to secure a rest API or do I need to implement this by my own?
You'll have to do this on your servers.
None of the services that terminate TLS and forward requests or connections to your app tier -- Elastic Load Balancers (Classic, Application, and Network), CloudFront, or API Gateway -- support TLS mutual auth.
Of course, a Network Load Balancer without TLS termination or a Classic Load Balancer in TCP mode will pass-through your payload, whatever it is, so either of these can be used in front of your servers, but the servers will need to handle all the TLS.
Also, your conclusion is correct that API Gateway's client certificates are not what you are looking for. They work as you described them.
As of 17th September, 2020, support for Mutual Authentication using TLS is available on AWS API Gateway: https://aws.amazon.com/about-aws/whats-new/2020/09/amazon-api-gateway-supports-mutual-tls-authentication/ . It can be used to authenticate clients calling an API on API Gateway.
My client has an already developed (and frozen) web service which is being secured with self signed certificate. I have configured AWS API gateway to get rid of CORS issue. When I try to call any endpoint of the web service via AWS API gateway, I find HTTP 500 Internal Server error. Until the client web service is made secured with self signed certificate, HTTP based endpoints were accessible via AWS API gateway.
What are ways to still call the web service endpoints?
API Gateway will fail on self signed certificates for http(s) backend integrations.
If you use the test functionality on the API GW you will see a error in the logs that it gives on the right about either a SSL Engine Problem or Bad Certificate.
If your backend is already in AWS and fronted by a load balancer you can think of using free certificates from ACM.
Or you can consider using a NLB that the API gateway can talk to, using the NLB you can have your backend apis' in a VPC and have no public access and still have API GW talk to them.
Edit: For some reason I am not able to link correctly. Here are some links on ACM and NLB.
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html
https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
I am looking to build an API orchestration layer using API Gateway and Lambda.
For my basic use case I want to have a Python script in Lambda that will just relay the request received at the API Gateway from the client (mobile app in this case) and call an external HTTPS service as the backend.
My question is:
Our mobile client uses client certificates to talk to our HTTPS endpoint today.
How do I go about intercepting that client certificate in my new API Gateway + Lambda setup?
Responded here. Copying the answer below for StackOverflow audience-
===
Unfortunately, API Gateway does not support client certificate validation from clients to API Gateway at the moment. We do, however, support client side SSL certificates for authentication by the backends.
Depending on your use-case, you can use various other options in API Gateway to authenticate/authorize your calls from the mobile client; eg API Keys, Custom Authorizers etc. The request from API Gateway to Lambda should already be encrypted.
Hope that helps,
Ritisha.