Exam ANS-C00 topic 1 question 88 discussion

In certificate based authentication, the certificate contains only the public key and is signed by a trusted CA. Certificates will never have private key in it. A & C are out of scope. API gateway supports mutual TLS (mTLS). It authenticates the clients by making use of the provided PEM encoded trust store file (certificates of all required CA's in the chain). It will not check with the backend instances to verify the client's certificate. B is the right answer.

Those who said something about SNI Smart Cert selection... do you guys know what it means???? Seriously people. That means only one thing - you are taking this exam without even knowing what SNI is. SNI smart cert is about SERVER certificate for multi-homed deployment. It has nothing to do with client certificate / mutural auth. The option is there just to confuse people like this.

Ans is B

Great reddit discussion on this : ''Neither load balancers nor API Gateway support client certificate authentication from a user to your app. Just load balance the traffic using an ELB in TCP mode or a network load balancer. Then have each of your web servers set up to accept and validate client certificates against a list of trusted certificates. That functionality is built in to most modern web servers.''https://www.reddit.com/r/aws/comments/gohiwl/how_to_enable_two_way_ssl_in_the_aws_load/

Basically, you want pass through authentification, B then Network Load balancer with TCP 443

And for those who mentioned API Gateway, it seems you never implemented it in AWS API gateway. The key problem with D is that AWS API Gateway does NOT support custom backend for custom authorizers. It only support Cognito, Lambda and IAM. The identify of the client (which is determined by the client public key stored in AWS API Gateway) nor the authorization of such client (which requires custom authorizer) is never passed to your backend.

Both A and C suggest to upload de private key : upload the client certificate private keys. This is not how mutual SSL works. The client has the private key and can ben checked by the public part. Hense both B and D would work but B is the most simple solutions. So i would go for D.

B, as SNI is for multiple servers after ELB. Only possible method is to passthrough to backend server where the Client certificate is installed.

B is correct. C importing private key to ALB is definitely wrong, you must never let your private key out of your own control if you choose to use client-side certificate

D. api gateway support client side sertificate

Answer: B A - incorrect - not possible to upload certificates to the Classic Load Balancer - upload to ACM or IAM. Plus client cert private keys would be kept with the client B - correct - Configure NLB for TCP, which is in effect pass-through. Application [web] service is where client side authentiction is enabled. C - incorrect - cannot use the ALB to perform client side authentication. it performs server-side authentication. Also, client-side auth keeps the private key with the client, not the server D - incorrect - no such thing as mutual auth feature in API gateway - its could be provided by other backend services

C https://aws.amazon.com/blogs/aws/new-application-load-balancer-sni/

C. NLB does not support sessions, which means each new request is passed to different server

Ans is B

Its C. ALB supports SNI

Interestingly both ELB and ALB none does support SSL mutual authentication. NLB can pass-through the request to backend EC2 and mutual SSL auth is managed by EC2.

I would go for B