- 최신
- 최다 투표
- 가장 많은 댓글
Hi @rePost-User-7357499 - Response to your questions below
-
The link for implementing a minimum TLS version is https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html which is mentioned in the link Nitin provided.
-
In the link I provided, it is mentioned how you can achieve mutual TLS between the API Client (the ReactJS application in your case) and the API Gateway. Mutual TLS is useful in a B2B kind of use-case where you have a few clients and you want to make sure that any requests coming from the clients can be trusted by API Gateway. TLS and Mutual TLS both encrypt the traffic but mutual TLS provides additional security because the server can also trust the client. It can be difficult to implement mutual TLS if you have a large number of API consumers. In that case, you should use Authentication by using mechanisms such as IAM authentication, Lambda authorizers, Cognito User Pool or Cognito Identity Pool based authentication. You can read up more in this document - https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html. There are also blogs on the topic of authentication in API Gateway such as https://aws.amazon.com/blogs/compute/evaluating-access-control-methods-to-secure-amazon-api-gateway-apis/ and https://aws.amazon.com/blogs/security/use-aws-lambda-authorizers-with-a-third-party-identity-provider-to-secure-amazon-api-gateway-rest-apis/
-
You can calculate the price of custom domains on AWS using the pricing calculator - https://aws.amazon.com/route53/pricing/
As Nitin mentioned above, by default an API Gateway endpoint is an HTTPS endpoint. If you need to implement mutual TLS between the client (your ReactJS app and API Gateway), then you can look at this documentation on how to configure mTLS - https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html
HI Indranil. I am new to some of this, so I apologize that I am getting up to speed on some of this. I did see the AWS link which Nitin provided before asking my question, but I might not fully understand it. I can attempt to follow the link you provided to implement the mutual TLS. A few questions, please, to clarify my understanding:
-
Is the impl in the link you provided a means of achieving the minimum TLS protocol version mentioned in the link Nitin referenced?
-
Would the impl in the link you provided be the maximum (or at least substantial) security impl I can achieve for encrypting/masking the response payload between the API Gateway and the ReactJS client?
-
Would you happen to know if this impl would be extremely costly (custom domain, cert, and trust store)?
-
The communication between the client and API Gateway is encrypted in transit using TLS. Reference : https://docs.aws.amazon.com/apigateway/latest/developerguide/data-protection-encryption.html#data-protection-in-transit
If it is needed to encrypt, then you can use as an example a Lambda function as the API Gateway integration and let the lambda decrypt/encrypt and forward the request to the backend. There can be other patterns based on use case.
Thank you for your responses, Indranil. I can definitely use the first blog link you provided, as I dive deeper into various use cases. In my current use case, I only have the one ReactJS application as a client. I believe since only user accounts through a Cognito user pool are involved and I have no business clients using this API, then I would not classify this as B2B. Would you agree?
The Cognito user pool for my user accounts can grow over time, but there is essentially just the one client, if that answers the "number of API consumers" part you mentioned? Please correct me if I misunderstood that part.
I appreciate your patience and diligence as I am still trying to make sure I have the big picture. I already plan to use a Cognito User Pool Authorizer on the API Gateway endpoint for authentication, following this article: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
But that will not cover encryption of the customer data payload from API Gateway to the ReactJS website, correct? And thus where the mTLS implementation you shared via your link, right?
If I am understanding you so far, the Cognito authorizer on the endpoint and the minimum TLS (Nitin's link) would cover everything in my use case?
Hi Indranil, I wanted to see if you have any suggested response to my last comment?
Thanks.