AWS API Gateway MTLS客户端身份验证 [英] AWS API Gateway MTLS client auth

问题描述

每次我在 AWS API网关中搜索基于SSL的相互身份验证时，我只能在AWS API Gateway和后端服务之间找到MTLS.但我希望使用 MTLS(客户端身份验证)保护我的AWS API Gateway终端节点本身.

Everytime I searched for Mutual Auth over SSL for AWS API Gateway I can only find MTLS between AWS API Gateway and Backend Services. But I'm looking to secure my AWS API Gateway endpoints itself with MTLS (client auth).

例如，我有一个支持服务QueryCustomer，该服务已通过AWS API Gateway代理.现在，我可以将SSL证书放在API网关上，但这是通常的1向SSL.我想要实现的是使用具有客户端身份验证的MTLS，其中来自AWS API Gateway的API使用者首先必须交换我们在 AWS信任库上配置的公共证书，并将存储AWS公共证书在API用户端也是如此.

For instance, I have a backed service QueryCustomer which I have proxied through AWS API Gateway. Now I can put an SSL Cert on API Gateway but it's usual 1-way SSL. What I want to achieve is to have an MTLS with client auth where the consumer of APIs from AWS API Gateway first have to exchange their public certificates which we configure on the AWS truststores and AWS public certificates will be stored on API consumer end as well.

现在与其他API网关和应用程序服务器一样，在握手过程中，应该有一个属性，该属性表示类似此AWS API Gateway终端"需要客户端身份验证"，以便仅在API使用者的公共证书为应该对API Gateway truststore中的ID进行身份验证以访问端点，否则只会引发正常的SSL握手错误.

Now during the handshake as with other API Gateways and application servers should there be a property which says something like this AWS API Gateway endpoint 'requires client auth' so that only if API consumer's public cert is in API Gateway truststore should be authenticated to access the endpoint, otherwise just throw normal SSL handshake error.

有人可以告知这是否可以在AWS API Gateway上实现吗?

Can someone advise if this is achievable on AWS API Gateway?

推荐答案

API网关当前不提供此功能，但是我们已经有多个客户要求使用此功能.不幸的是，我无法评论ETA或可用性.

This is not currently available from API Gateway, but we have had requests from multiple customers for this feature. Unfortunately, I can't comment on ETA or availability.

这篇关于AWS API Gateway MTLS客户端身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！