We want to start using public API Gateway endpoints with AWS Lambda integration secured with mTLS [https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/] but it is not clear for us from the documentation whether rejected requests are billed or not, we analyze this situations:
- missing client certificate - unauthorized access from anybody, bots etc. - request fails with
OpenSSL SSL_connect: Connection reset by peer
or something similar - missing information about this requests in any statistics on API Gateway dashboard
- invalid client certificate - certificate from wrong Certificate Authority - API GW will respond with a 403 Forbidden + response header
x-amzn-errortype: ForbiddenException
. These requests are visible under API Calls and 4xx error dashboard status, without lambda invocation
- expired client certificate (but valid CA) - also 403 Forbidden + response header
x-amzn-errortype: ForbiddenException
. These requests are visible under API Calls and 4xx error dashboard status, without lambda invocation
- valid client certificate (common application state) - application will respond, lambda invoked, billed
We assume that only a random request without client certificate is not charged, is that right?
This information would help us to make a decision about this solution for security and potential costs.
We don't consider using WAF yet, only if it will be necessary by our analysis.
Thanks for any clarification