I have an rest HTTP endpoint that is sitting outside of AWS, but I want to use AWS API Gateway to proxy through to that endpoint. What would be the best way to only allow requests to the HTTP endpoint to process that come through the API gateway?
0
votes
1 Answers
0
votes
One possibility would be to make your non-AWS endpoint require a client TLS certificate. AWS API Gateway can generate client certificates, and your non-AWS endpoint can:
- require a client certificate (if not provided, then ignore / don't allow)
- use the API Gateway cert public key to verify the client is your API Gateway.
This would give you good assurance that traffic to your non-AWS endpoint is only coming through the AWS API Gateway, so long as the client certificate generated by AWS is not compromised.
From the AWS FAQs:
Q: Can I verify that it is API Gateway calling my backend? Yes. Amazon API Gateway can generate a client-side SSL certificate and make the public key of that certificate available to you. Calls to your backend can be made with the generated certificate, and you can verify calls originating from Amazon API Gateway using the public key of the certificate.
