AWS API Gateway MTLS client auth

Question

Everytime I searched for Mutual Auth over SSL for AWS API Gateway I can only find MTLS between AWS API Gateway and Backend Services. But I'm looking to secure my AWS API Gateway endpoints itself with MTLS (client auth).

For instance, I have a backed service QueryCustomer which I have proxied through AWS API Gateway. Now I can put an SSL Cert on API Gateway but it's usual 1-way SSL. What I want to achieve is to have an MTLS with client auth where the consumer of APIs from AWS API Gateway first have to exchange their public certificates which we configure on the AWS truststores and AWS public certificates will be stored on API consumer end as well.

Now during the handshake as with other API Gateways and application servers should there be a property which says something like this AWS API Gateway endpoint 'requires client auth' so that only if API consumer's public cert is in API Gateway truststore should be authenticated to access the endpoint, otherwise just throw normal SSL handshake error.

Can someone advise if this is achievable on AWS API Gateway?

Answer 1

23 September 2020

AWS now supports mutual TLS

https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-mutual-tls.html

Also we can now disable the execute-api-endpoint.

aws apigatewayv2 update-api \
    --api-id abcdef123 \
    --disable-execute-api-endpoint

To use mutual TLS, create a truststore of X.509 certificates that you trust to access your API. The certificates can be from public or private certificate authorities. Certificates can have a maximum chain length of four. You can also provide self-signed certificates. The following are supported:

SHA-256 or stronger RSA-2048 or stronger ECDSA-256 or stronger

API Gateway validates a number of certificate properties. You can use Lambda authorizers to perform additional checks when a client invokes an API, including checking if a certificate has been revoked. API Gateway validates the following certificate properties:

Validation Description X.509 syntax

The certificate must meet X.509 syntax requirements.

Integrity

The certificate's content must not have been altered from that signed by the certificate authority from the truststore.

Validity

The certificate's validity period must be current.

Name chaining / key chaining

The names and subjects of certificates must form an unbroken chain. Certificates can have a maximum chain length of four.

Answer 2

This is not currently available from API Gateway, but we have had requests from multiple customers for this feature. Unfortunately, I can't comment on ETA or availability.