How do I use a resource policy to whitelist certain IP addresses to access my API Gateway API?

Last updated: 2019-07-18

I want to whitelist access to my Amazon API Gateway API for certain IP addresses, and restrict access for everyone else. How do I do that?

Short Description

Create a resource policy for your API that denies access to any IP address that isn't specifically allowed. Users who call the API from specified IP addresses (allowed users) can access the API. Calls from any other IP address are denied access and get an HTTP 403 Forbidden error.

Resolution

For these instructions, use your existing API Gateway API, or create an example API for testing. If you use the example API (PetStore) for this setup, skip to Create and attach a resource policy below.

Set up an API method

1.    In the API Gateway console, choose your API.

2.    In the Resources pane, choose Actions, and then choose Create Method.

3.    In the dropdown list under the / resource node, choose ANY, and then choose the check mark icon.

4.    On the / - ANY - Setup pane, for Integration type, choose Mock, and then choose Save.

Note: A mock integration responds to any request that reaches it, which helps later with testing.

Create and attach a resource policy

1.    In the left navigation pane of the API Gateway console, choose Resource Policy.

2.    Copy this example resource policy and paste it into the Resource Policy text box.

{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "execute-api:/*/*/*"
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "execute-api:/*/*/*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": ["sourceIpOrCIDRBlock", "sourceIpOrCIDRBlock"]
        }
      }
    }
  ]
}

Note: If instead you want to block access for certain IP addresses, and allow access for everyone else, see the resource policy in Example: Deny API traffic based on source IP address or range.

3.    For aws:SourceIp, replace sourceIpOrCIDRBlock with the specific IP addresses that you want to allow. You can also specify a range of IP addresses using CIDR notation. For example:

["10.0.0.0/8", "192.168.0.0/16", "172.16.0.1/32"]

4.    Choose Save.

Deploy your API

1.    In the Resources pane of the API Gateway console, choose Actions, and then choose Deploy API.

2.    In Deploy API, for Deployment stage, choose [New Stage].

3.    For Stage name, enter a name. For example, v1 or demo.

4.    Choose Deploy.

Note: If you change the resource policy after this, make sure to redeploy your API.

Test the resource policy

1.    In the Stages pane of the API Gateway console, in the stage editor pane, copy the Invoke URL.

2.    From both an environment with an allowed IP address and an environment without an allowed IP address, test for an HTTP 200 response. Use curl from a command line interface, or use the Postman app. For more information about curl, see the cURL project website.

Note: If you don't already have access to multiple environments for testing, you can set up Amazon Elastic Compute Cloud (Amazon EC2) instances. Be sure to specify the IP address of any instance that you want to allow access for in your API's resource policy. Then, redeploy the API.

To use curl, run one of these commands, replacing https://yourInvokeUrl/ with your API's invoke URL:

In a Linux/Unix/macOS environment:

curl -IX GET https://yourInvokeUrl/

In Windows PowerShell:

curl https://yourInvokeUrl/

The allowed environment receives an HTTP 200 response, and the denied environment receives an HTTP 403 Forbidden error.