- Newest
- Most votes
- Most comments
Probably cannot be used given the technical considerations of mTLS authentication.
In this configuration, HTTP requests specifying a client certificate are first requested to CloudFront.
Since there is no client authentication between the client and CloudFront, the specified client certificate is not used.
After that, it is possible to pass HTTP headers and body from CloudFront to API Gateway, but since it does not inherit the client certificate specified in the previous step, an authentication error should occur here.
I don't think that CloudFront supports this use-case. This is due to the fact that CloudFront handles the TLS termination and doesn't support pass-through to API Gateway or other downstream services. If you would like to use mTLS, you should point your Route 53 domain name directly to API Gateway, configure a custom domain, disable the default endpoint, and add AWS WAF to the API. Additionally, it's worth noting that mTLS is not supported for Edge-optimized APIs and can be used with Regional APIs only.
I would also suggest you reading the following article: Propagating valid mTLS client certificate identity to downstream services using Amazon API Gateway
Relevant content
- asked 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago