AWS Deep Dive

Amazon API Gateway

Continued notes about the Amazon API Gateway.

Working with REST APIs

Configuring Mutual TLS Authentication for a REST API in API Gateway

When using mutual TLS configuration, API Gateway forwards the client certificates through to the relevant Lambda authorizer and/or other backend functions. Since mutual TLS requires the server to have a valid (custom) certificate, the default API Gateway endpoint needs to be disabled in this mode. Regional custom domains must be used, and these endpoints must be public (no mutual TLS with private APIs).

Client certificates are must be signed by an ownershipVerificationCertificate help in the AWS Certificate Manager (this certificate cannot be used for the domain), and a PEM file containing the client certificates and their complete chain of trust must be uploaded S3 as a “trust store”. S3 versioning can be used to enable easy rollbacks; changing the current S3 version requires an API redployment.

While API Gateway checks to make sure that client certificates are valid, it lacks the ability to check these against a revocation list. However, a Lambda authorizer can be used to check for revocation.

Generate and Configure an SSL Certificate for Backend Authentication with API Gateway

API Gateway supports mutual TLS both as a server (see the previous section) and as a client (when talking to API backend services). However, API Gateway generates a self-signed certificate in the latter case, so backend services will need to verify the connection using an explicit allow list.

API Gateway client certificates are per API and per stage; rotating certificates requires an API redployment.

Using AWS WAF to Protect API Gateway

AWS WAF rules are evaluated before anything else, including IAM rules. It’s thus not possible to use IAM policies to “punch holes” in the WAF. API Gateway must be used with regional WAF rules (called “web ACLs” by Amazon). Web ACLs are per API and per stage.

Throttle API Requests for Better API Gateway Throughput

API throttling is per API per stage per region, and optionally per resource/method and per API key (really, the associated usage plan).