Controlling Access to an API in AWS API Gateway using resource access policy not working

4
votes

My infrastructure looks like this:

  1. Two EC2 machines (No public IP). Each EC2 machine is in a separate subnet.
  2. AWS API Gateway having 4 APIs. EC2 machine will access AWS API Gateway to consume the REST APIs.

Test:

I am trying to control an access to the API gateway using resource access policy through IP addresses. I wanted only the two EC2 machine to access the API gateway and my resource policy is below. I am using the IP/CIDR of the subnet in the resource policy.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "exact resource name",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "subnet address 1/CIDR",
                        "subnet address 2/CIDR"   
                    ]
                }
            }
        }
    ]
}

The above policy is not working and blocking all REST calls. Please help me in resolving the issue.

1
amazon-web-servicesamazon-ec2aws-api-gateway

1 Answers

1
votes

API Gateway is not inside your VPC. It can't see your traffic as coming from your VPC CIDR blocks. You need to provide the IP addresses of the NAT Gateways your instances are using to access the Internet, in the policy.