Client TLS Authentication with AWS API Gateway

Question

Is it possible to set up client TLS authentication on AWS API Gateway?

I do not mean between API Gateway and Elastic Beanstalk, as it is described here, but between the client and the API Gateway itself, probably having a custom authorizer (e.g. Lambda) that checks the certificate for validity before forwarding the request to Elastic Beanstalk.

Answer 1

You can do that by creating a custom domain name for your api and adding cert to your custom domain name

Here is how you can setup certs for custom domain -

To provide a certificate for an edge-optimized custom domain name, you can request AWS Certificate Manager (ACM) to generate a new certificate in ACM or to import into ACM one issued by a third-party certificate authority.

To provide a certificate for a regional custom domain name in a region where ACM is supported, you must request a certificate from ACM. To provide a certificate for a regional custom domain name in a region where ACM is not supported, you must import a certificate to API Gateway in that region.

To import an SSL/TLS certificate, you must provide the PEM-formatted SSL/TLS certificate body, its private key, and the certificate chain for the custom domain name. Each certificate stored in ACM is identified by its ARN. To use an AWS-managed certificate for a domain name, you simply reference its ARN.

ACM makes it straightforward to set up and use a custom domain name for an API: create in or import into ACM a certificate for the given domain name, set up the domain name in API Gateway with the ARN of the certificate provided by ACM, and map a base path under the custom domain name to a deployed stage of the API. With certificates issued by ACM, you do not have to worry about exposing any sensitive certificate details, such as the private key.

Ref:https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html