AWS API Gateway and AWS Lambda - handling client certificate - amazon-web-services

I am looking to build an API orchestration layer using API Gateway and Lambda.
For my basic use case I want to have a Python script in Lambda that will just relay the request received at the API Gateway from the client (mobile app in this case) and call an external HTTPS service as the backend.
My question is:
Our mobile client uses client certificates to talk to our HTTPS endpoint today.
How do I go about intercepting that client certificate in my new API Gateway + Lambda setup?

Responded here. Copying the answer below for StackOverflow audience-
===
Unfortunately, API Gateway does not support client certificate validation from clients to API Gateway at the moment. We do, however, support client side SSL certificates for authentication by the backends.
Depending on your use-case, you can use various other options in API Gateway to authenticate/authorize your calls from the mobile client; eg API Keys, Custom Authorizers etc. The request from API Gateway to Lambda should already be encrypted.
Hope that helps,
Ritisha.

Related

can I proxy AWS API Gateway WebSocket to WebSocket?

Currently I am using the API Gateway as a kind of proxy to provide https simply
https://random-aws-name.com => http://my-domain.com
The route was $default
The integration setup is HTTP ANY -> http://my-domain.com
I am now having to setup an Websocket server on my domain that is already listening at ws://my-domain.com. I can connect directly to this socket but not using the AWS API Gateway
wss://random-aws-name.com => ws://my-domain.com
Currently I an getting unexpected error 400, using wscat
I tried to enable API gateway logging and do not see any log arrive
IMHO, AWS API Gateway is only able to provide a wss end point and route requests to HTTP backends only. If we already have a backend websocket server, I don't see an option in AWS API Gateway to perform such routing (Although I would be glad to be proven wrong as I have such a requirement myself.).
I actually tried giving wss:// url as the Endpoint URL but I got an error while deploying the API saying Invalid HTTP endpoint specified for URI
Most likely, the API Gateway you are currently using is not a WebSocket API, but rather an HTTP API or REST API. API Gateway has different flavors. You pick a flavor when you deploy. The flavor that you deployed is most likely not the flavor that supports WebSocket connections.
According to this documentation page, proxied WebSocket connections may only be one-way (note in blue box at bottom of page): https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-routes-integrations.html

AWS secure REST API with mutual authentication

I want to secure a REST API with mutual authentication on AWS. This means, only clients with a specific client certificate should be able to access the API. What is the best way to secure a REST API on AWS with mutual authentication?
I know, there is client certificate support for API Gateway, but this is not what I am looking for. As far as I understand, this only authenticates Api Gateway against backend and is not able to authenticate clients to Api gateway.
Is Api Gateway, Load balancer or any other AWS product able to do mutual authentication to secure a rest API or do I need to implement this by my own?
You'll have to do this on your servers.
None of the services that terminate TLS and forward requests or connections to your app tier -- Elastic Load Balancers (Classic, Application, and Network), CloudFront, or API Gateway -- support TLS mutual auth.
Of course, a Network Load Balancer without TLS termination or a Classic Load Balancer in TCP mode will pass-through your payload, whatever it is, so either of these can be used in front of your servers, but the servers will need to handle all the TLS.
Also, your conclusion is correct that API Gateway's client certificates are not what you are looking for. They work as you described them.
As of 17th September, 2020, support for Mutual Authentication using TLS is available on AWS API Gateway: https://aws.amazon.com/about-aws/whats-new/2020/09/amazon-api-gateway-supports-mutual-tls-authentication/ . It can be used to authenticate clients calling an API on API Gateway.

How to call webservice with self signed certificate from AWS API gateway?

My client has an already developed (and frozen) web service which is being secured with self signed certificate. I have configured AWS API gateway to get rid of CORS issue. When I try to call any endpoint of the web service via AWS API gateway, I find HTTP 500 Internal Server error. Until the client web service is made secured with self signed certificate, HTTP based endpoints were accessible via AWS API gateway.
What are ways to still call the web service endpoints?
API Gateway will fail on self signed certificates for http(s) backend integrations.
If you use the test functionality on the API GW you will see a error in the logs that it gives on the right about either a SSL Engine Problem or Bad Certificate.
If your backend is already in AWS and fronted by a load balancer you can think of using free certificates from ACM.
Or you can consider using a NLB that the API gateway can talk to, using the NLB you can have your backend apis' in a VPC and have no public access and still have API GW talk to them.
Edit: For some reason I am not able to link correctly. Here are some links on ACM and NLB.
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html
https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html

Secure HTTP Connection to AWS Lambda (using API Gateway)

I need to make a secure HTTP callout from Salesforce (using Apex) to AWS Lambda and I build my first version using AWS API Gateway. I realized I can get a client certificate from API Gateway (.crt) but this looks like it is only for AWS backend and is not meant to be for the HTTP request sent to API Gateway. What are my alternatives to establish a secure connection from outside AWS (Salesforce) to a Lambda function?
So far I've found this, which is a disappointing dead-end for now.
Like the link you posted says, API Gateway does not currently support MTLS. Other options for you to add security to the calls at the moment are:
IAM permissions, and here.
API Gateway custom authorizers.
Cognito User Pools.
If you need a custom domain associated with the API Gateway:
Go to Route53 and add your domain (new Hosted Zone), if you haven't done it already.
On AWS Certificate Manager, import or request a certificat for the custom domain you intend to use in your API Gateway endpoints.
Open the API Gateway dashboard and go to "Custom Domain Names". Click "Create a custom domain name" and, in the option "ACM Certificate (region)", select the certificate you generated/imported in item 2 above.
That's it, now you should be able to trigger your Lambda functions using API Gateway from a secure connection (HTTPS). Please note that, if you do this, API Gateway will refuse connections over insecure HTTP protocol.

SSL Client Certificate Amazon API Gateway

I am not sure how client side ssl certifcate works. Please clarify the behavior in following scenario.
In case of Amazon API coupled with client side AWS Generated SSL certificates ,
I wish to know whether these certificates are added by API gateway on invocation of apis or the client who is consuming these apis need to add them.
API Gateway adds the certificate to the request. Your server would then check the certificate attached to the request to verify that the request came from API Gateway.