1. 技术文章
  2. How to allow only an IP/range access to AWS API Gateway resources

How to allow only an IP/range access to AWS API Gateway resources

戏子无情 提交于 2019-12-24 06:34:05

问题


How best can I restrict access to certain routes in AWS API gateway by IP? I want to allow only my ECS cluster to access certain routes in API gateway. I tried putting the ECS NAT gateway, the VPC CIDR range in aws:SourceIp but always get denied. I even tried my personal computer public IP address ... same results ... Is this the correct way? Or should I try IAM authorizers? The downside with IAM authorizer is I need to sign my API calls? Perhaps using the API Gateway SDK? Which means code change I prefer to avoid. 

{
  "Id": "MY_API_POLICY",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": ["XX.XX.XX.XX/32"]
        }
      },
      "Resource": [
        "arn:aws:execute-*:*:apiid/stagename/*/private/route"
      ]
    },
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": [
        "arn:aws:execute-*:*:apiid/stagename/*/public/route"
      ]
    }
  ]
}

回答1:


As @Visal already mentioned is restricting the ip/range is the correct way. Here is the example: https://aws.amazon.com/de/blogs/compute/control-access-to-your-apis-using-amazon-api-gateway-resource-policies/

There is an example for a policy that allows the access for a certain ip range:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<account_idA>:user/<user>",
                    "arn:aws:iam::<account_idA>:root"
                ]
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:<account_idB>:qxz8y9c8a4/*/*/*"
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:<account_idB>:qxz8y9c8a4/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": " 203.0.113.0/24"
                }
            }
        }
    ]
}

Or if you want to deny the access then you will find this policy:

{
    "Effect": "Deny",
    "Principal": "*",
    "Action": "execute-api:Invoke",
    "Resource": "arn:aws:execute-api:us-east-1:<account_idB>:qxz8y9c8a4/*",
    "Condition": {
        "IpAddress": {
            "aws:SourceIp": "203.0.113.0/24"
        }
    }
}


来源:https://stackoverflow.com/questions/52857285/how-to-allow-only-an-ip-range-access-to-aws-api-gateway-resources

标签
amazon-web-services
authentication
authorization
aws-api-gateway
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!