AWS API Gateway MTLS client auth

Question

Everytime I searched for Mutual Auth over SSL for AWS API Gateway I can only find MTLS between AWS API Gateway and Backend Services. But I\

Answer 1

23 September 2020

AWS now supports mutual TLS

https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-mutual-tls.html

Also we can now disable the execute-api-endpoint.

aws apigatewayv2 update-api \
    --api-id abcdef123 \
    --disable-execute-api-endpoint

To use mutual TLS, create a truststore of X.509 certificates that you trust to access your API. The certificates can be from public or private certificate authorities. Certificates can have a maximum chain length of four. You can also provide self-signed certificates. The following are supported:

SHA-256 or stronger RSA-2048 or stronger ECDSA-256 or stronger

API Gateway validates a number of certificate properties. You can use Lambda authorizers to perform additional checks when a client invokes an API, including checking if a certificate has been revoked. API Gateway validates the following certificate properties:

Validation Description X.509 syntax

The certificate must meet X.509 syntax requirements.

Integrity

The certificate's content must not have been altered from that signed by the certificate authority from the truststore.

Validity

The certificate's validity period must be current.

Name chaining / key chaining

The names and subjects of certificates must form an unbroken chain. Certificates can have a maximum chain length of four.

Answer 2

This is not currently available from API Gateway, but we have had requests from multiple customers for this feature. Unfortunately, I can't comment on ETA or availability.