How can I deny all users except one to invoke API in AWS API Gateway

1
votes

Is there a way/policy using which I can deny all users except one who can invoke an API endpoint at AWS API Gateway?

Policy currently used:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::account_id:user/user-name"
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:region:account_id:api_to_be_invoked/*/*"
        }
    ]
}

I applied the above policy at the API Gateway's Resource Policy and deployed it, but then, just to test, I tried using another admin user's access and secret key to POST through Postman, and it still successfully did, which I do not want.

Any help?

2
amazon-web-servicesapiaws-api-gatewayamazon-iam
Reverse the logic and use explicit DENY with NotPrincipal. An explicit deny always wins in IAM policies.Vikyol

2 Answers

3
votes
{
"Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": 
                    [  "arn:aws:iam::account_id:user/user-name",
                       "arn:aws:iam::account_id:root"
                    ]
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:region:account_id:api_to_be_invoked/*/*"
        }
    ]
}
0
votes

Did you try to use IAM Policies Conditions? I haven't tried it in a production environment but it should fulfil your need.

{"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Deny",
        "Action": "execute-api:Invoke",
        "Resource": "arn:aws:execute-api:region:account_id:api_to_be_invoked/*/*",
        "Condition": {
            "StringNotEquals" : {
               "aws:username" : "your_user_name"
             }
          }
    }
]}

Please let me know if this answer helped.