0

I need to make a secure HTTP callout from Salesforce (using Apex) to AWS Lambda and I build my first version using AWS API Gateway. I realized I can get a client certificate from API Gateway (.crt) but this looks like it is only for AWS backend and is not meant to be for the HTTP request sent to API Gateway. What are my alternatives to establish a secure connection from outside AWS (Salesforce) to a Lambda function?

So far I've found this, which is a disappointing dead-end for now.

Jorjani
  • 827
  • 1
  • 16
  • 31
  • Are you using a custom domain or the default domain provided by AWS API Gateway? The default AWS domain is already secured (HTTPS). If you need a secure custom domain, I posted instructions below. – Renato Byrro Jan 26 '18 at 16:55
  • I am using a custom domain and used Route 53 to map to it and I used the certificate that I created on ACM for it. My problem is encrypting my HTTP request that is sent from somewhere else and I need to be able to use the certificate to encrypt it there so it is not sent – Jorjani Jan 26 '18 at 18:41
  • Any data you send over an HTTPS connection is already encrypted from the time it leaves Salesforce server until it's received by the AWS API gateway. Do you need an extra layer of encryption? – Renato Byrro Jan 26 '18 at 19:20
  • I understand that. I must be missing something obvious here. I just don't know how to get this certificate over to Salesforce to encrypt the request using it in the first place. – Jorjani Jan 26 '18 at 19:24
  • 1
    You don't have to, it is already handled for you. Every SSL certificate has a **private** and a **public key**. Salesforce and AWS servers will _handshake_, meaning AWS will provide Salesforce with a **public key**. Salesforce will encrypt the data using this **public key**. Once it's encrypted, it can only be decrypted by the **private key**. Since only your AWS server will have the **private key**, no one else can decrypt the data. Not event Salesforce server could reverse the encryption without the private key. It's really safe, banks and credit cards rely on this tech, you should be fine. – Renato Byrro Jan 27 '18 at 02:58
  • 1
    In case you want to understand a little more, check this: https://robertheaton.com/2014/03/27/how-does-https-actually-work/ – Renato Byrro Jan 27 '18 at 02:59

2 Answers2

0

Like the link you posted says, API Gateway does not currently support MTLS. Other options for you to add security to the calls at the moment are:

  1. IAM permissions, and here.
  2. API Gateway custom authorizers.
  3. Cognito User Pools.
Viccari
  • 9,029
  • 4
  • 43
  • 77
0

If you need a custom domain associated with the API Gateway:

  1. Go to Route53 and add your domain (new Hosted Zone), if you haven't done it already.
  2. On AWS Certificate Manager, import or request a certificat for the custom domain you intend to use in your API Gateway endpoints.
  3. Open the API Gateway dashboard and go to "Custom Domain Names". Click "Create a custom domain name" and, in the option "ACM Certificate (region)", select the certificate you generated/imported in item 2 above.

That's it, now you should be able to trigger your Lambda functions using API Gateway from a secure connection (HTTPS). Please note that, if you do this, API Gateway will refuse connections over insecure HTTP protocol.

Renato Byrro
  • 3,578
  • 19
  • 34