Is there support for using CloudFront with an mTLS authenticated Custom Domain Name for APIGateway?

0

We're trying to put an mTLS authenticated APIGateway behind a Cloudfront distribution, but I can't find any resources online on how to do this. We have this type of thing setup with normal TLS and it works fine, but if we try to mirror our existing setup to use mTLS instead, it doesn't work. Is this setup supported, and how can we go about setting this up? Thanks

2 Answers
2

Probably cannot be used given the technical considerations of mTLS authentication.
In this configuration, HTTP requests specifying a client certificate are first requested to CloudFront.
Since there is no client authentication between the client and CloudFront, the specified client certificate is not used.
After that, it is possible to pass HTTP headers and body from CloudFront to API Gateway, but since it does not inherit the client certificate specified in the previous step, an authentication error should occur here.

profile picture
EXPERT
answered a year ago
profile picture
EXPERT
reviewed a year ago
2

I don't think that CloudFront supports this use-case. This is due to the fact that CloudFront handles the TLS termination and doesn't support pass-through to API Gateway or other downstream services. If you would like to use mTLS, you should point your Route 53 domain name directly to API Gateway, configure a custom domain, disable the default endpoint, and add AWS WAF to the API. Additionally, it's worth noting that mTLS is not supported for Edge-optimized APIs and can be used with Regional APIs only​​.

I would also suggest you reading the following article: Propagating valid mTLS client certificate identity to downstream services using Amazon API Gateway

profile picture
EXPERT
answered a year ago
profile picture
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions