Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Which AWS architecture solution is used to validate the client's certificate ?

0

For example, we are using Route 53 + ACM + ALB + ECS.

With this set of services, could you explain how to enable client's certificate validation ?

More precisely :

The goal is to establish a mutual authentication between the application and the clients : the application entry point is the Application Load Balancer, the clients come from the Internet.

The application needs to guarantee the client identity from their certificate.

We know that we can create an HTTPS listener for the Application Load Balancer (ALB).

Now, how to go further and establish mutual authentication, i.e. to require and to validate client certificates ?

Thank you for your expertise.

Argomenti
Sicurezza, identità e conformitàServerlessContainerNetworking e distribuzione di contenutiInternet delle cose (IoT)
Tag
Sicurezza, identità e conformitàAWS FargateEquilibratore di carico elasticoGestore certificati AWSTransport Layer Security (TLS)
Lingua
English
rePost-User-4528541
posta 2 anni fa1145 visualizzazioni
2 Risposte
1
Risposta accettata

AFAIK mTLS is not supported on ALB since it always terminates the TLS connection. You can use a NLB instead to redirect the L4 traffic to a server which can deal with mTLS such as NGINX.

Hope it helps.

profile pictureAWS
mtind
con risposta 2 anni fa
  • rePost-User-4528541
    2 anni fa

    It technically solves the problem, but it leaves the responsibility to the application to manage the certificates itself and it remains moderately acceptable from a "security in depth" point of view. Thanks to the author of the answer.

0

Not sure if I understand your question correctly but You can use API gateway to configure client-side SSL authentication for sending requests to the integration endpoint (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-clientcertificate.html ) . For your own public domain You can configure certificate validation by DNS or Email validation. Validation is done by the server the same way the client validates the server's certificate through a signed certificate .Certificates managed in ACM use RSA keys with a 2048-bit modulus and SHA-256.

AWS
mojtoth
con risposta 2 anni fa
  • rePost-User-4528541
    2 anni fa

    Thank you for your answer. We have added clarifications to the question because we do not think you are answering the question.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente