By using AWS re:Post, you agree to the Terms of Use
/AWS PrivateLink/

Questions tagged with AWS PrivateLink

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

AWS API Gateway private integration with mutual TLS

Is mutual TLS supported with private resource integration in HTTP API gateway? I created HTTP integration that routes traffic into private ALB's HTTP listener. After that I implemented mutual TLS by using this quide: https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/ While testing certificate authentication I created second set of certificates and used second set's client key and pem to authenticate successfully against first sets keystore. This is behavior should not be possible. With this configuration api gateway demands, that clients sends certificate and key, but never verifies them against specified truststore. Tested this setup by switching private integration to lambda integration and TLS operated like it should, by verifying the certificate against truststore. How to reproduce: -create HTTP API gateway API with lambda integration (used ANY /) -create custom domain for the API, with mutual TLS enabled and default endpoint disabled -create 2 set of certificates and client keys -TLS should check the validity of the client certificate and prevent mixing certificates between sets -switch lambda integration to private alb integration with HTTP listener -test TLS again by mixing certificates -API gateway accepts mixed certificates -As an side effect in this configuration gateway ignores the default endpoint disable setting and enables bypassing the TLS completely.
1
answers
0
votes
32
views
AWS-User-5658400
asked a month ago
  • 1
  • 90 / page