missing client certificate - unauthorized access from anybody, bots etc. - request fails with OpenSSL SSL_connect: Connection reset by peer or something similar - missing information about this requests in any statistics on API Gateway dashboard
invalid client certificate - certificate from wrong Certificate Authority - API GW will respond with a 403 Forbidden + response header x-amzn-errortype: ForbiddenException. These requests are visible under API Calls and 4xx error dashboard status, without lambda invocation
expired client certificate (but valid CA) - also 403 Forbidden + response header x-amzn-errortype: ForbiddenException. These requests are visible under API Calls and 4xx error dashboard status, without lambda invocation
We assume that only a random request without client certificate is not charged, is that right?
This information would help us to make a decision about this solution for security and potential costs.
We don't consider using WAF yet, only if it will be necessary by our analysis.