How do I use a resource policy to allow certain IP addresses to access my API Gateway REST API?

Last updated: 2020-12-08

I want to allow access to my Amazon API Gateway REST API for certain IP addresses, and restrict access for everyone else. How can I do that?

Short description

Create a resource policy for your REST API that denies access to any IP address that isn't specifically allowed. Users who call the REST API from specified IP addresses (allowed users) can access the REST API. Calls from any other IP address are denied access and get an HTTP 403 Forbidden error.


Note: For the following instructions, use your existing API Gateway REST API, or create an example REST API for testing. If you use the example API (PetStore) for this setup, skip to Create and attach a resource policy.

Set up an API method

  1. Open the API Gateway console, and then choose your REST API.
  2. In the Resources pane, choose Actions, Create Method.
  3. In the dropdown list under the / resource node, choose ANY, and then choose the check mark icon.
  4. On the / - ANY - Setup pane, for Integration type, choose Mock, and then choose Save.

Note: A mock integration responds to any request that reaches it, which helps later with testing.

Create and attach a resource policy

  1. In the left navigation pane of the API Gateway console, choose Resource Policy.
  2. Copy the following example resource policy and paste it into the Resource Policy text box.

Example resource policy

  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "execute-api:/*/*/*"
      "Effect": "Deny",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "execute-api:/*/*/*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": ["sourceIpOrCIDRBlock", "sourceIpOrCIDRBlock"]

Note: To block access for certain IP addresses and allow access for everyone else, see the resource policy in Example: Deny API traffic based on source IP address or range.

3.    For aws:SourceIp, replace sourceIpOrCIDRBlock with the specific IP addresses that you want to allow. You can also specify a range of IP addresses using CIDR notation. For example:

["", "", ""]

Note: aws:SourceIp works only for public IP address ranges. To allow access to private IP ranges, use aws:VpcSourceIp. This condition is valid for private APIs. For more information, see aws:VpcSourceIp.

4.    Choose Save.

Deploy your API

  1. In the Resources pane of the API Gateway console, choose Actions, Deploy API.
  2. For Deployment stage, choose [New Stage].
  3. For Stage name, enter a name. For example, v1 or demo.
  4. Choose Deploy.

Note: If you change the resource policy after this, be sure to redeploy your API.

Test the resource policy

  1. In the Stages pane of the API Gateway console, copy the Invoke URL.
  2. From both an environment with an allowed IP address and an environment without an allowed IP address, test for an HTTP 200 response. Use curl from a command line interface, or use the Postman app . For more information about curl, see the curl project website.

Note: If you don't already have access to multiple environments for testing, you can set up Amazon Elastic Compute Cloud (Amazon EC2) instances. Be sure to specify the IP address of any instance that you want to allow access for in your API's resource policy. Then, redeploy the API.

To use curl, run one of these commands, replacing https://yourInvokeUrl/ with your REST API's invoke URL:

In a Linux/Unix/macOS environment:

curl -IX GET https://yourInvokeUrl/

In Windows PowerShell:

curl https://yourInvokeUrl/

The allowed environment receives an HTTP 200 response. The denied environment receives an HTTP 403 Forbidden error.