node.jsamazon-web-servicesaws-lambdaaws-api-gatewaypsd2

How to manage client certificates for mutual TLS to be used within AWS Lambda

Our team is using AWS Lambda functions and API Gateway to facilitate connections to open banking API's within Europe. (PSD2).

Our Lambda's are written in NodeJS.

PSD2 requires Mutual TLS, which is fine and we have everything correctly implemented and working in a sandbox environment.

An example request would look something like this:

{
  hostname: '[bank hostname]',
  path: '[bank api endpoint]',
  method: 'GET',
  headers: {
    accept: 'application/json',
    signature: 'XXX',
    date: 'XXX',
    digest: 'XXX',
    'x-request-id': 'XXX',
    'tpp-signature-certificate': '[PATH_TO_CERTIFICATE]',
    authorization: 'Bearer [accessToken]',
  },
  cert: fs.readFileSync('/var/task/certs/cert.crt'), // Buffer
  key: fs.readFileSync('/var/task/certs/private.key'), // Buffer
}

The problem we currently have is that we are unsure where to securely store our certificates. For the time-being, we are just storing them in an assets folder in our codebase, this is not ideal and we would like to move them out of our codebase for obvious reasons.

We have been looking at AWS ACM. However it is not clear how we would retrieve a path to certificates (after uploading them) in order to use it in the request above.

So my question is how would we use AWS to securely store our certificates in such a way that we can use them in a HTTPS request?

Solution

  • You cannot retrieve certificates from ACM, in fact these are attached to AWS resources only such as CloudFront, ELBs and API Gateway.

    To retrieve the contents there is a couple of solutions.

    The first is to store this in a credential/secrets store, AWS provide this functionality in the secrets manager service. Additionally you can store a SecureString in the systems manager parameter store.

    Alternatively you could use a third party solution such as HashiCorp Vault.

    With this approach if you need the file to exist on disk you will need to store the output in the tmp file storage.

    If these approaches do not work for you, you could make use of AWS EFS. A recent addition has added support to allow Lambdas to have a NFS mount attached to share storage.