Security Architect

Subdecks (3)

You cannot use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint. This applies to IAM policies for users and roles, and any bucket policies
WAF web ACL can only be applied to the following resource types: CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer, AWS AppSync GraphQL API and Amazon Cognito user pool.
By default, the TLS protocol only requires a server to authenticate itself to the client. The authentication of the client to the server is managed by the application layer. The TLS protocol also offers the ability for the server to request that the client send an X.509 certificate to prove its identity. This is called mutual TLS (mTLS) as both parties are authenticated via certificates with TLS.
For mTLS support, you need to create a TCP listener using a Network Load Balancer or a Classic Load Balancer and implement mTLS on the target. The load balancer passes the request through as is, so you can implement mTLS on the target.