We want to start using public API Gateway endpoints with AWS Lambda integration secured with mTLS [https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/] but it is not clear for us from the documentation whether rejected requests are billed or not, we analyze this situations:
- missing client certificate - unauthorized access from anybody, bots etc. - request fails with
OpenSSL SSL_connect: Connection reset by peer or something similar - missing information about this requests in any statistics on API Gateway dashboard
- invalid client certificate - certificate from wrong Certificate Authority - API GW will respond with a 403 Forbidden + response header
x-amzn-errortype: ForbiddenException. These requests are visible under API Calls and 4xx error dashboard status, without lambda invocation
- expired client certificate (but valid CA) - also 403 Forbidden + response header
x-amzn-errortype: ForbiddenException. These requests are visible under API Calls and 4xx error dashboard status, without lambda invocation
- valid client certificate (common application state) - application will respond, lambda invoked, billed
We assume that only a random request without client certificate is not charged, is that right?
This information would help us to make a decision about this solution for security and potential costs.
We don't consider using WAF yet, only if it will be necessary by our analysis.
Thanks for any clarification
AWS OFFICIALAktualisiert vor 8 Monaten