# mTLS Authorization **Overview** For enhanced security and controlled access to nodes hosted on Amazon EC2, thunderstack.org utilizes a dual-layered authorization approach that combines the built-in mTLS capabilities of AWS API Gateway with a custom Lambda authorizer. This setup provides comprehensive certificate validation and fine-grained access control. **Integration of API Gateway mTLS and Lambda Authorizer** 1. **API Gateway mTLS**: * **mTLS Configuration**: AWS API Gateway is configured to require mutual TLS (mTLS) for all incoming connections to specific API routes. This setup mandates that all clients must present a valid TLS certificate to establish a connection. * **Certificate Validation**: As part of the TLS handshake process, API Gateway verifies the client's certificate against a list of trusted Certificate Authorities (CAs). This ensures that only clients with certificates issued by trusted entities can initiate API calls. 2. **Custom Lambda Authorizer**: * **Role of Lambda Authorizer**: After the initial mTLS validation by API Gateway, a custom Lambda authorizer is invoked to perform additional security checks and access control decisions. * **Detailed Validation and Authorization**: * The Lambda function further inspects the validated certificate to extract and verify specific details such as the user ID and node ID. * Based on these details and predefined security policies, the Lambda authorizer decides whether to grant or deny access to the requested node resources. * It dynamically generates an IAM policy that either allows or denies the API request, applying this decision to the ongoing session. **Security Workflow** 1. **Client Certificate Submission**: When a client initiates an API call, it must present a valid certificate as part of the secure TLS connection setup. 2. **Initial mTLS Verification by API Gateway**: The certificate is first checked by API Gateway to confirm its validity and trustworthiness against known CAs. 3. **Further Validation by Lambda Authorizer**: * Upon successful initial validation, the Lambda authorizer examines the certificate for specific attributes critical for accessing the node. * The authorizer assesses the integrity and relevance of these attributes and ensures they align with the security requirements of the node being accessed. 4. **Access Decision and Enforcement**: * If all checks pass, the Lambda authorizer issues an IAM policy that permits the request, allowing the client to interact with the node. * If the certificate or its attributes fail to meet the necessary criteria, the request is denied, thereby blocking any potential unauthorized access.