Yan Cui
I help clients go faster for less using serverless technologies.
If you haven’t been paying close attention you might have missed the API Gateway announcement for resource policies. It later played a key role in supporting API Gateway private endpoints – a way to put your API inside a private VPC.
To configure resource policies with the Serverless framework, you need to upgrade to v1.28.0 or later. If you want to restrict access to the GET /index.html
endpoint to the IP 217.128.123.174, you need the following.
provider: name: aws runtime: nodejs8.10 resourcePolicy: - Effect: Allow Principal: "*" Action: execute-api:Invoke Resource: - execute-api:/*/GET/index.html Condition: IpAddress: aws:SourceIp: - 217.128.123.174
Nice and easy!
There are a couple of things to note:
- You can implement IP blacklisting by changing
Effect
toDeny
. - If you change the resource policy in the API Gateway console, it won’t take effect until you deploy the API. No such worries with the serverless framework, as
sls deploy
would deploy the API for you as part of the CloudFormation update. - You can mix IP and IAM conditions for different endpoints in the same API. But, IP and IAM conditions don’t work for a
private
API, which is not publicly accessible and is required for VPC private endpoints. - When you access the API from EC2 or ECS, you need to whitelist the public IP of the instance, or the NAT Gateway if the instance is not associated with a public IP.
After you set up IP whitelisting on the endpoint, you will get an error like this if you attempt to access it from an IP that has not been whitelisted.
{ "Message": "User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:eu-central-1:********3770:io75qg1rvf/test/GET/index.html" }
Whenever you’re ready, here are 3 ways I can help you:
- Production-Ready Serverless: Join 20+ AWS Heroes & Community Builders and 1000+ other students in levelling up your serverless game. This is your one-stop shop for quickly levelling up your serverless skills.
- I help clients launch product ideas, improve their development processes and upskill their teams. If you’d like to work together, then let’s get in touch.
- Join my community on Discord, ask questions, and join the discussion on all things AWS and Serverless.