By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Which AWS architecture solution is used to validate the client's certificate ?

0

For example, we are using Route 53 + ACM + ALB + ECS.

With this set of services, could you explain how to enable client's certificate validation ?

More precisely :

The goal is to establish a mutual authentication between the application and the clients : the application entry point is the Application Load Balancer, the clients come from the Internet.

The application needs to guarantee the client identity from their certificate.

We know that we can create an HTTPS listener for the Application Load Balancer (ALB).

Now, how to go further and establish mutual authentication, i.e. to require and to validate client certificates ?

Thank you for your expertise.

Topics
Security, Identity, & ComplianceServerlessContainersNetworking & Content DeliveryInternet of Things (IoT)
Tags
Security, Identity, & ComplianceAWS FargateElastic Load BalancingAWS Certificate ManagerTransport Layer Security (TLS)
Language
English
rePost-User-4528541
asked 2 years ago1132 views
2 Answers
1
Accepted Answer

AFAIK mTLS is not supported on ALB since it always terminates the TLS connection. You can use a NLB instead to redirect the L4 traffic to a server which can deal with mTLS such as NGINX.

Hope it helps.

profile pictureAWS
mtind
answered 2 years ago
  • rePost-User-4528541
    2 years ago

    It technically solves the problem, but it leaves the responsibility to the application to manage the certificates itself and it remains moderately acceptable from a "security in depth" point of view. Thanks to the author of the answer.

0

Not sure if I understand your question correctly but You can use API gateway to configure client-side SSL authentication for sending requests to the integration endpoint (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-clientcertificate.html ) . For your own public domain You can configure certificate validation by DNS or Email validation. Validation is done by the server the same way the client validates the server's certificate through a signed certificate .Certificates managed in ACM use RSA keys with a 2048-bit modulus and SHA-256.

AWS
mojtoth
answered 2 years ago
  • rePost-User-4528541
    2 years ago

    Thank you for your answer. We have added clarifications to the question because we do not think you are answering the question.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content