Reputation: 79685
Can an ELB enforce TLS authentication?
I am using AWS::ElasticLoadBalancingV2::LoadBalancer and we need to start using client certificates (i.e. mTLS / two-way TLS). Our ELB is terminating TLS connections and has a server side certificate.
Can the ELB itself be configured to enforce client authentication (by giving it a certificate for example)?
Upvotes: 4
Views: 4378
Answers (3)
Reputation: 996
As of the announcement at AWS re:Invent 2023 in November, there is finally support for mTLS for ALBs, and you can use AWS's PCA (Private CA) to manage client certs.
How-To: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html
Private CA: https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html
Upvotes: 3
Reputation: 11
While an AWS load balancer doesn't provide mTLS authentication via a client-provided certificate, you could do that by instead using an API Gateway.
There's an example blog post from AWS here showing how it works: https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/
Upvotes: 1
Reputation: 201058
As I answered in your previous question, this is not a supported feature of AWS load balancers at this time. You have to switch to a load balancer type that supports TCP passthrough, and handle mTLS on your server.
Upvotes: 7
Related Questions
- ELB to backend server using HTTPS with self-signed certificate
- Can an Amazon ELB break mutual TLS authentication?
- AWS-issued (managed) TLS/SSL certificate for ELB/ALB
- Support for two-way TLS/HTTPS with ELB
- Can I use AWS own ELB certificate for HTTPS/SSL connection?
- What is SSL security policy for ELB
- Authenticate on a EB environment by using client-side ssl authentication for amazon api-gateway
- Adding SSL communication between ELB EC2 on AWS and forcing only HTTPS comunication
- AWS and TLS Authentication
- AWS ELB Server-Side HTTPS