0

Reading this post, I'm trying to understand how mutual TLS works in AWS. I think I understand the most parts but what is unclear to me is the arrow going from AWS Certificate Manager to the client. I'm guessing this is the server certificate presented to the client.

But does the client need to actively request this or is it handled automatically by the TLS handshake during the call to the API?

enter image description here

Mark B
  • 183,023
  • 24
  • 297
  • 295
Christian
  • 7,433
  • 4
  • 36
  • 61

1 Answers1

0

The line from ACM to the client in the diagram is just ACM issuing the client certificate. It wouldn't make much sense (from a security perspective) for the client to go somewhere else than the server to get the server certificate.

SSL/TLS certificate validation happens during the SSL handshake when the TCP connection between the client and server is initially established.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • Stupid question then: how do you prevent malicious clients from being issued client certs? – Christian Nov 15 '21 at 14:39
  • How would a malicious client obtain the AWS IAM permissions needed to successfully call the ACM service? – Mark B Nov 15 '21 at 14:46
  • In my case the client is a C library running on an IoT device. How would you use IAM in this case other than embedding the AWS credentials on it (which I guess isn't preferable)? – Christian Nov 15 '21 at 14:56
  • 1
    AWS has an entire suite of IoT services which include methods to secure the device and provide specific IAM permissions to the device, for example https://aws.amazon.com/iot-device-defender/ – Mark B Nov 15 '21 at 15:00
  • I guess the client certificate could be installed during the client build process given that the build server has access to the certificate manager right? – Christian Nov 15 '21 at 15:58
  • 1
    I would suggest reading up on how AWS IoT client certificates work, via the IoT service. This is a separate thing from the ACM certificates you are currently looking at. I would install the IoT client certificate via the AWS IoT provisioning workflow, and then the device can use that certificate to request temporary IAM permissions, which it could then use to request an ACM certificate. Or you could switch to IAM authentication on your API Gateway instead of using client certificates, and skip the ACM client certificate. https://docs.aws.amazon.com/iot/latest/developerguide/iot-provision.html – Mark B Nov 15 '21 at 16:04