I have a requirement where Salesforce will make a REST call to the API which is behind a AWS Api Gateway. I want to know if AWS Api Gateway support Mutual TLS(i.e. if Salesforce presents it TLS cert, can AWS Api Gateway validate it)?
AWS Api GAteway docs mention about Mutual TLS with Backend service, but my requirement is to have Mutual TLS with Salesforce which is a Front end service.
The call will be in this flow... Salesforce(Http Call) ---> AWS Api Gateway(Api) ---> Lambda
AWS announced generally-available support for client-server mutual TLS (mTLS) authentication on 17 September 2020
Amazon API Gateway now supports mutual TLS (mTLS) authentication. Customers can now enable mTLS on custom domain names for regional REST and HTTP APIs at no additional cost. Mutual TLS enhances the security of your API and helps protect your data from attacks such as client spoofing or man-in-the middle attacks.
Historically, API Gateway has supported one-way TLS to ensure that API clients are able to verify API Gateway’s identity by validating its public certificate. With this new feature, customers can now configure a custom domain name to enforce two-way TLS or mTLS which enables certificate-based authentication both ways: client-to-server and server-to-client. This helps you comply with security requirements for your Open Banking solution or easily authenticate devices in an IOT solution.
See the announcement here: https://aws.amazon.com/about-aws/whats-new/2020/09/amazon-api-gateway-supports-mutual-tls-authentication/
You can configure mTLS for your API Gateway HTTP API custom domain and create a truststore in S3 of X.509 certificates that you trust to access your API. Clients must then present trusted certificates with each request to successfully access your API.
See the documentation here: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-mutual-tls.html
