I have the following Resource Policy defined for my "REST API" in AWS API Gateway:
I tried the following appraoches:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:idPlaceholder:idPlaceholder/*/POST/webhook",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"X.XX.XX.XX/32",
"X.XXX.XXX.XXX/32",
]
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:xxx:xxx/*/*/{proxy+}"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:xxx:xxx/*/POST/webhook",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"X.XX.XX.XX/32",
"X.XXX.XXX.XXX/32",
]
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:xxx:xxx/*/*/{proxy+}"
}
]
}
I saved the policy and redeployed the API accordingly.
However, it seems that the IP restriction is not only enforced on the webhook endpoint but on all the other endpoints as well?
Is there a way to only enforce the policy on the webhook endpoint while everything else remains unaffected?
The default is Deny. Therefore, access to all endpoints must be an explicit Allow. Try the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:<account>:<APIID>/*/POST/webhook",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"XXX.XXX.XXX.XXX/32",
"XXX.XXX.XXX.XXX/32",
]
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:<account>:<APIID>/*"
}
]
}
After redeploying API wait a couple of minutes before testing.