API Gateway with mTLS request billing

0

We want to start using public API Gateway endpoints with AWS Lambda integration secured with mTLS [https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/] but it is not clear for us from the documentation whether rejected requests are billed or not, we analyze this situations:

  • missing client certificate - unauthorized access from anybody, bots etc. - request fails with OpenSSL SSL_connect: Connection reset by peer or something similar - missing information about this requests in any statistics on API Gateway dashboard
  • invalid client certificate - certificate from wrong Certificate Authority - API GW will respond with a 403 Forbidden + response header x-amzn-errortype: ForbiddenException. These requests are visible under API Calls and 4xx error dashboard status, without lambda invocation
  • expired client certificate (but valid CA) - also 403 Forbidden + response header x-amzn-errortype: ForbiddenException. These requests are visible under API Calls and 4xx error dashboard status, without lambda invocation
  • valid client certificate (common application state) - application will respond, lambda invoked, billed

We assume that only a random request without client certificate is not charged, is that right? This information would help us to make a decision about this solution for security and potential costs. We don't consider using WAF yet, only if it will be necessary by our analysis.

Thanks for any clarification

1 Answer
0

If the request fails mTLS, for any reason, it will not be charged.

profile picture
EXPERT
Uri
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions