How to secure an AWS API Gateway with mTLS using AWS CDK

MTLS sequence diagram flow

Mutual TLS (mTLS) offers strong authentication and encryption, protecting against unauthorized access. Implementing mTLS with an API Gateway strengthens your infrastructure and ensures secure, seamless communication.

TLS vs mTLS

In traditional TLS, only the server authenticates itself to the client using a digital certificate. The client verifies the server’s identity by validating the certificate presented by the server. Meanwhile, mTLS, also known as two-way TLS or client-authenticated TLS, requires both the client and the server to authenticate themselves using digital certificates. This mutual authentication ensures that both parties are who they claim to be.

Benefits of implementing mTLS with API Gateway

1. Enhanced Security: mTLS strengthens security by requiring clients and servers to present valid certificates, mitigating risks associated with unauthorized access, man-in-the-middle attacks, and eavesdropping.
2. Identity Verification: API Gateway verifies the identity of clients and the servers, ensuring that only authorized entities can access the services.
3. Data Confidentiality: By encrypting data in transit, mTLS prevents unauthorized parties from intercepting and deciphering sensitive information between services.
4. Compliance Requirements: Many regulatory frameworks and industry standards mandate robust security measures. Implementing mTLS with API Gateway helps organizations comply with data protection regulations such as GDPR, HIPAA, and PCI DSS.
5. Centralized Management: API Gateway facilitates centralized management of security policies, certificate management, and access control, streamlining the administration of security protocols across the API infrastructure.

Process of mTLS Authentication

Public Key vs Private Key

In mTLS, each party (server and client) has a private key, which is kept secret, and a public key, shared in a digital certificate. During the mTLS handshake, both parties exchange certificates, verifying each other’s identity by using the public keys. The public key encrypts data, which only the corresponding private key can decrypt. This ensures not only secure data transmission but also mutual authentication, protecting against unauthorized access and man-in-the-middle attacks by confirming the identities of both parties.

Role of a Certificate Authority in mTLS?

In mTLS, a Certificate Authority (CA) plays a critical role in establishing trust between the client and server. The CA is a trusted third party responsible for issuing, validating, and managing digital certificates. These certificates contain public keys and identity information, and the CA ensures their legitimacy by signing them with its private key.

Implement mTLS with API Gateway using AWS CDK

Create Root Key using AWS Console

• Go to AWS Private Certificate Authority
• Select the Root CA type

• Add Subject distinguished name

• Acknowledge Pricing
• Click on Create CA button
• You should see this screen; the creation of the certificate takes a while to be completed
• Copy and save the ARN, we’d need it to create the intermediate CA

Create the Server Certificate

• Create Intermediate Certificate Authority using Cloudformation’s Custom Resource and AWS CDK: First, create a CDK stack for the custom resource. We need a custom resource to generate an intermediate certificate authority because the certificate issuance process can take some time. This allows us to wait for the certificate to be issued. You can learn more about custom resources here

• Generate CSR: A Certificate Signing Request (CSR) is needed to request a digital certificate from a Certificate Authority (CA). It contains the public key and organization details like domain name, allowing the CA to verify the requester’s identity. The CSR initiates the certificate issuance process, enabling secure, encrypted communication once the certificate is issued. You can read up more on CSR here

• Create an intermediate certificate authority and S3 bucket with versioning: An intermediate certificate authority (CA) in mTLS adds an extra layer of security and trust by bridging the root CA and the end-entity certificates (client/server). Instead of issuing certificates directly from the root CA, the intermediate CA handles certificate issuance. This separation limits the exposure of the root CA and allows for better management, such as revoking or replacing the intermediate CA without compromising the root CA’s security. It also enhances scalability and delegation of trust in larger networks.

• Create Rest API Gateway with AWS CDK and enable mTLS

Create the Client Certificate

• Issue Client Certificate: A client certificate serves as proof of the client’s identity, allowing the server to trust the client before establishing a secure connection. This certificate is issued and signed by the server’s private key

Test API with Postman

• Click on the Settings icon
• Click on Settings on the dropdown menu.

• Click on Certificates
• Click on Add Certificate...

• Add your custom domain
• Add the CRT file (client.pem) that was created in the issue client certificate step
• Add the KEY file (client.key) that was also created in the issue client certificate step
• Click on the Add button

Conclusion

Implementing robust security measures is non-negotiable. API Gateway with enabled mTLS, offers a potent solution for securing communication between services in a distributed environment. By enforcing mutual authentication and encryption at the gateway level, organizations can fortify their API infrastructure against evolving threats while ensuring compliance with regulatory requirements. Embrace mTLS with API Gateway to build a secure and resilient API ecosystem that inspires trust and confidence among users and stakeholders.