1

Is there a way to reject a request in the Integration Request for certain IPs?

Currently I have this code, which works, but the request still passes through to my Lambda function and I still return the regular result body. I'm trying to stop the request altogether before hitting the Lambda fn.

#if($context.identity.sourceIp != "123.45.55.43")
  {
    "errorMessage" : "Error, not authorized"
  }
#end
sorrell
  • 1,801
  • 1
  • 16
  • 27
  • Possible duplicate of [AWS API Gateway: limit requests from a single IP](http://stackoverflow.com/questions/38444923/aws-api-gateway-limit-requests-from-a-single-ip) – Andy Hayden May 06 '17 at 19:26
  • @AndyHayden I don't think it's a dupe. Not trying to limit but actually stop, and I think I found a workable (for me) solution below. – sorrell May 06 '17 at 20:10
  • If you use CloudFront / WAF (as in that answer) you can stop. While limiting is not precisely the same it's essentially the same (specifically the solution is the same). – Andy Hayden May 06 '17 at 20:12
  • @AndyHayden I think they are distinctly different because I couldn't apply the answer below to the question in the "possible dupe" post. The answer below provides the shortest route to stopping a request. – sorrell May 06 '17 at 20:14
  • True, but your answer happens in Lambda (after API Gateway) IIUC. :) – Andy Hayden May 06 '17 at 20:18
  • I think you're right, which is why I'm amazed the invocation count/errors didn't increase in the Lambda dashboard but they did in the Gateway... black box, who knows. :) – sorrell May 06 '17 at 20:20

1 Answers1

1

It's not pretty, but this is what I came up with: passing a broken request when the IP doesn't match what I want. In this example, I only want requests from 123.45.55.43 to pass through, and everything else should fail - and I am not concerned about providing an appropriate response to the client. Since $broken isn't defined, we pass nothing on to the Lambda fn.

#if($context.identity.sourceIp == "123.45.55.43")
  {
    "source_ip": "$context.identity.sourceIp"
  }
#else
  $broken
#end

The API ends up with 400 errors, but the Lambda function doesn't show any new invocations/errors in its dashboard. Works for me.

sorrell
  • 1,801
  • 1
  • 16
  • 27