'What security requirements are expected by AWS API Gateway by default? BG96 fails on API Gateway GET Request
I wish to hit some API Gateway HTTPS end points using a BG96 for an IoT project. I have set up a GET method using AWS API Gateway that retrieves an entry from a DynamoDB table given the entry ID and a Lambda function to process the request. The end point does not require an API key nor AWS IAM role for authorization, it is open.
API URL: htttps://...amazonaws.com/dev/data/{id}
I can perform a GET request on the end point successfully using Postman however if I use the Quectel BG96 I receive a 403 Forbidden error and there's no log of the Lambda function ever being called which makes me thing the request is being blocked before reaching the Lambda Function. If I request a different HTTPS endpoint (not the one I created on API Gateway, e.g. https://www.alipay.com/) using the BG96 I am successful.
Success - Example output below is for an HTTP endpoint but it does work for HTTPS end points as well.
[2022-02-03 15:25:19:468_R:] +QHTTPGET: 0,200,260
[2022-02-03 15:25:19:727_S:] AT+QHTTPREAD=80
[2022-02-03 15:25:19:780_R:] AT+QHTTPREAD=80
[2022-02-03 15:25:19:780_R:] CONNECT
[2022-02-03 15:25:19:780_R:] HTTP/1.1 200 OK
[2022-02-03 15:25:19:780_R:] Date: Thu, 03 Feb 2022 04:25:19 GMT
[2022-02-03 15:25:19:780_R:] Content-Type: application/json
[2022-02-03 15:25:19:780_R:] Content-Length: 260
[2022-02-03 15:25:19:780_R:] Connection: keep-alive
[2022-02-03 15:25:19:780_R:] Server: gunicorn/19.9.0
[2022-02-03 15:25:19:780_R:] Access-Control-Allow-Origin: *
[2022-02-03 15:25:19:780_R:] Access-Control-Allow-Credentials: true
[2022-02-03 15:25:19:780_R:] {
[2022-02-03 15:25:19:780_R:] "args": {},
[2022-02-03 15:25:19:780_R:] "headers": {
[2022-02-03 15:25:19:780_R:] "Accept": "*/*",
[2022-02-03 15:25:19:780_R:] "Host": "httpbin.org",
[2022-02-03 15:25:19:780_R:] "User-Agent": "QUECTEL_MODULE",
[2022-02-03 15:25:19:780_R:] "X-Amzn-Trace-Id": "Root=1-61fb592f-4fd419b62b1b51ff0b9acb08"
[2022-02-03 15:25:19:780_R:] },
[2022-02-03 15:25:19:780_R:] "origin": "115.187.131.157",
[2022-02-03 15:25:19:780_R:] "url": "https://httpbin.org/get"
[2022-02-03 15:25:19:780_R:] }
[2022-02-03 15:25:19:780_R:] OK
[2022-02-03 15:25:19:780_R:] +QHTTPREAD: 0
Failure
[2022-02-03 15:01:10:606_R:] +QHTTPGET: 0,403,23
[2022-02-03 15:01:13:912_S:] AT+QHTTPREAD=80
[2022-02-03 15:01:13:964_R:] AT+QHTTPREAD=80
[2022-02-03 15:01:13:964_R:] CONNECT
[2022-02-03 15:01:13:964_R:] HTTP/1.1 403 Forbidden
[2022-02-03 15:01:13:964_R:] Date: Thu, 03 Feb 2022 04:01:10 GMT
[2022-02-03 15:01:13:964_R:] Content-Type: application/json
[2022-02-03 15:01:13:964_R:] Content-Length: 23
[2022-02-03 15:01:13:964_R:] Connection: keep-alive
[2022-02-03 15:01:13:964_R:] x-amzn-RequestId: 92420321-1e22-4967-8b9e-22988aee1046
[2022-02-03 15:01:13:964_R:] x-amzn-ErrorType: ForbiddenException
[2022-02-03 15:01:13:964_R:] x-amz-apigw-id: M8n9FGhfSwMFdRA=
[2022-02-03 15:01:13:964_R:] {"message":"Forbidden"}
[2022-02-03 15:01:13:964_R:] OK
[2022-02-03 15:01:13:964_R:] +QHTTPREAD: 0
By default Postman appears to be using TLSv1.2 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 encryption. I am wondering if the cause of rejection of the BG96 is because I haven't set security correctly. The following is the list of AT commands I use to set the BG96 and perform the GET request, note I'm setting TLSv1.2 and cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 but also setting security level to 0 meaning no certificate is required which is where it might fall down:
AT+QHTTPCFG="contextid",1
AT+QHTTPCFG ="responseheader",1
AT+QIACT?
AT+QICSGP=1,1,"iot.truphone.com","","",1
AT+QIACT=1
AT+QIACT?
AT+QHTTPCFG="SSLCTXID",1
AT+QSSLCFG="SSLVERSION",1,3
AT+QSSLCFG="ciphersuite",1,0XC02F
AT+QSSLCFG="seclevel",1,0
AT+QHTTPURL=<url len in char>,<timeout in seconds>
CONNECT
<enter url>
AT+QHTTPGET=80
AT+QHTTPREAD=80
A better question might be what security does API Gateway RESTful endpoints require by default? Is a certificate always necessary?
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|
