AWSAPIGatewayMTLS
AWS API Gateway 支持使用 Mutual TLS (MTLS),通过在客户端和 API Gateway 之间启用 SSL/TLS 客户端身份验证,来增强 API 的安全性。以下是在 AWS CLI 中创建 MTLS 配置的示例代码:
1.手动创建 MTLS 证书
aws acm-pca create-certificate-authority --certificate-authority-configuration "KeyAlgorithm=RSASSA_PSS_2048_SHA256,SigningAlgorithm=SHA256WITHRSA,Purpose=TLS_SERVER" aws acm-pca get-certificate-authority-csr --certificate-authority-arn {certificate-authority-arn} --query Csr --output text > api-gateway-server.csr aws acm-pca issue-certificate --certificate-authority-arn {certificate-authority-arn} --csr file://api-gateway-server.csr --signing-algorithm SHA256WITHRSA --validity Value=365,Type="DAYS" --idempotency-token {idempotency-token} --query CertificateArn --output text > certificate-arn.txt aws acm-pca get-certificate --certificate-authority-arn {certificate-authority-arn} --certificate-arn $(cat certificate-arn.txt) --query Certificate --output text > api-gateway-server.crt
- 使用 MTLS 配置启用 API Gateway mTLS
aws apigateway update-rest-api --rest-api-id {rest-api-id} --patch-operations op="replace",path="/endpointConfiguration/types/EDGE/mtlsConfig/mode",value="REQUIRED" aws apigateway create-stage --rest-api-id {rest-api-id} --stage-name {stage-name} --deployment-id {deployment-id} --description {description} --access-log-settings '{"destinationArn": "{access-logs-ARN}","format": "{access-logs-format}"}' --client-certificate-id $(aws acm-pca get-certificate-authority-certificate --certificate-authority-arn {certificate-authority-arn} --query Certificate --output text | openssl x509 -outform der | openssl base64 -A) --no-certificate-verification aws apigateway update-stage --rest-api-id {rest-api-id} --stage-name {stage