I want to restrict the access of my AWS Lambda Functions to be accessible only from Bitbucket Webhooks call. I have tried creating a Function URL but I can't seem to find how to add this restriction. Also, I have tried AWS Gateway API and adding this resource policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "GATEWAY_API_ARN",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://bitbucket.org/*",
"https://api.bitbucket.org/*"
]
}
}
}
]
}
But this will still be not accessible from the Bitbucket webhooks based on their logs. Maybe these URLs for Bitbucket are wrong?
The referer doesn't necessary reflect the originating domain and I would doubt, that the webhook requests include this information.
I would switch to a IP based restriction:
"Condition" : {
"IpAddress": {
"aws:SourceIp": ["192.0.2.0/24", "198.51.100.0/24" ]
}
}
The relevant IP addresses are published here. Especially look for the section titled "Valid IP addresses for webhook delivery" at the end of the document.