We have a Lambda function on aws which is exposed via api gateway. On that api, we have a resource policy to restrict traffic so only ip addresses in our firm can access the endpoint. For this, we use the standard ip range blacklist template as provided by AWS on the api gateway resource policy page and modify it to use NotIpAddress instead of IpAddress- for example
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "execute-api:/stage/*/getInfo",
"Condition" : {
"NotIpAddress": {
"aws:SourceIp": [ "192.188.1.1", "192.168.1.2" ]
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "execute-api:/stage/*/getInfo"
}
]
}
We now have a requirement to develop another lambda which makes a http call to this API Gateway to gather some information before performing more logic. We want to use this existing lambda as it performs some complex logic. However, when we try to do a http get in the new lambda to the API Gateway of the existing lambda to get the required information, it is denied as per the deny rule in the resource policy
Is it possible to have an IPAddress restriction and allow invocations from all lambdas in our AWS account?
