How can I deny public access to an AWS API gateway?

1
votes

Similar to this question, I would like to deny public access to an AWS API Gateway and only allow access when the API is invoked via a specific user account. I have applied the following resource policy to the gateway:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::123456789012:root",
                    "arn:aws:iam::123456789012:user/apitestuser"
                ]
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd123456/*"
        }
    ]
}

But when I run

curl -X GET https://abcd123456.execute-api.us-east-1.amazonaws.com/dev/products

I still receive a success response with data:

[{"id":1,"name":"Product 1"},{"id":2,"name":"Product 2"}]

I am expecting to receive a 4XX response instead.

How can I change the policy to deny public access to the gateway? Or, is it not possible to deny public access without using a VPC? Ideally I wish to avoid using a VPC as using a NAT gateway in multiple regions will be costly. I also want to avoid building in any authentication mechanism as authentication and authorization take place in other API gateways which proxy to this gateway.

1
amazon-web-servicesaws-api-gatewayamazon-iam
Did you re-deploy the stage? Also it takes maybe 1 minute to policy to take effect.Marcin
Oh! Redeploying did the trick. Thanks! If you want to create an answer I will mark that as the answer to give you credit.Chad Johnson
Thank you. Answer added.Marcin

1 Answers

1
votes

Based on the comments.

The issue was that the stage was not re-deployed after adding/changing the policy.

So the solution was to re-deploy the stage for the policy to take effect.