Supporting mutual TLS on specific resource paths


I need to setup a proxy service in AWS that provides mutual TLS termination and then forwards the call onto another service running in AWS using just regular TLS. I have followed the guidance given for configuring mutual TLS on an API Gateway and have that working with an Lambda function integration that can call the necessary service on the back end. The problem I have is that I don't want all incoming requests to require mTLS, only specific resource paths on the custom domain should enforce mTLS. Any thoughts on how I could go about configuring this ... it seems that mTLS gets enabled for the whole custom domain?

https://mydomain/pathA (require mTLS)

https://mydomain/pathB (don't require mTLS)

If the API Gateway can't support this, any other thoughts on how to achieve the same mTLS => TLS proxy conversion in AWS?

  • Hello TAW, Did you find any feasible solution to this scenario?

asked 2 years ago1291 views
2 Answers

mTLS is configured on the Custom Domain level so you can decide that only some paths will require it and other will not. What you can do is create two APIs with two different domains, e.g., and The first will map to the API for all routes that require mTLS. The second will map to an API that does not require it.

profile pictureAWS
answered 2 years ago
  • Unfortunately this solution needs to work with a legacy system where ALL resource paths need to be off of the same domain ... having two separate domains (one with and one without mTLS) is not an option. Your comment suggests what I was already thinking ... that it is not going to be possible to do what I need to do with the API Gateway mTLS support.



I recently came across a blog post within the Compute Blog, which addresses mutual Transport Layer Security (TLS) and how a customer's self-managed Kafka clusters can have a trust relationship established between AWS Lambda using a private certificate authority (CA), even using a Amazon Managed Streaming Kafka (MSK) certificate by default as the certificates are signed by Amazon Trust Services CAs.

Also, without knowing many more of the customer requirements and/or dependencies of the applications, proxy configuration(s) involved, or that may need to be involved yet,

You can activate any combination of authentication modes (mutual TLS, SASL SCRAM, or IAM access control) on new or existing clusters. This is useful if you are migrating to a new authentication mode or must run multiple authentication modes simultaneously. Lambda natively supports consuming messages from both self-managed Kafka and Amazon MSK through event source mapping.

Also, I just saw this related topic within another re:Post, if the solution necessitates API Gateway.

I hope this helps.


answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions