sashoalm
sashoalm

Reputation: 79685

Can an ELB enforce TLS authentication?

I am using AWS::ElasticLoadBalancingV2::LoadBalancer and we need to start using client certificates (i.e. mTLS / two-way TLS). Our ELB is terminating TLS connections and has a server side certificate.

Can the ELB itself be configured to enforce client authentication (by giving it a certificate for example)?

Upvotes: 4

Views: 4378

Answers (3)

Erhhung
Erhhung

Reputation: 996

As of the announcement at AWS re:Invent 2023 in November, there is finally support for mTLS for ALBs, and you can use AWS's PCA (Private CA) to manage client certs.

Announcement: https://aws.amazon.com/blogs/aws/mutual-authentication-for-application-load-balancer-to-reliably-verify-certificate-based-client-identities/

How-To: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html

Private CA: https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html

Upvotes: 3

David Tenace
David Tenace

Reputation: 11

While an AWS load balancer doesn't provide mTLS authentication via a client-provided certificate, you could do that by instead using an API Gateway.

There's an example blog post from AWS here showing how it works: https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/

Upvotes: 1

Mark B
Mark B

Reputation: 201058

As I answered in your previous question, this is not a supported feature of AWS load balancers at this time. You have to switch to a load balancer type that supports TCP passthrough, and handle mTLS on your server.

Upvotes: 7

Related Questions