1

We have a NodeJS lambda project in CodeStar. We have gotten it to work, and we have secured the API with an API key.

Is it possible to add a Resource Policy for the API in the CloudFormation template? So we don't have to add a Resource Policy in the web console every time we create a new project/API.

We have tried but haven't gotten it to work, and we can't find any documentation.

Thanks!

BunnyRabbit
  • 347
  • 1
  • 2
  • 12
  • I'm not sure what you mean by API. The lambda project is an API? Are you using API Gateway? Do you want to protect a secret key? For me, it is not clear what you want to add to Resource Policy. – tyron Oct 22 '18 at 21:04
  • Sorry @tyron, I was a bit unclear. The CodeStar project indeed uses API Gateway. We have secured the API somewhat by adding an API key, but we want to secure it even more by IP whitelisting the Dev stage (office IP) and whitelisting our VPC for the Stage and Prod stages so other servers can call the API.The API is hooked up to a lambda function. – BunnyRabbit Oct 23 '18 at 07:45
  • We haven't gotten the Resource Policy to work, I put it in a separate question: https://stackoverflow.com/questions/52933477/how-can-i-make-an-ip-vpc-whitelist-for-an-api-in-api-gateway – BunnyRabbit Oct 23 '18 at 07:46

2 Answers2

0

Doc is here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html

and it should look something like this

Type: AWS::ApiGateway::RestApi Properties: ApiKeySourceType: String BinaryMediaTypes: - String Body: JSON object BodyS3Location: S3Location CloneFrom: String Description: String EndpointConfiguration: EndpointConfiguration FailOnWarnings: Boolean MinimumCompressionSize: Integer Name: String Parameters: String: String Policy: JSON object

Darren.L
  • 16
  • 1
0

A complete example for a private API Gateway with resource policy included (in this case only access from a previously defined VPC endpoint is allowed) can be found below.

InterfaceEndpoint:
  Type: 'AWS::EC2::VPCEndpoint'
  Properties:
    VpcEndpointType: Interface
    ServiceName: !Sub 'com.amazonaws.${AWS::Region}.execute-api'
    PrivateDnsEnabled: true
    VpcId: !Ref VPC
    SubnetIds: 
      - !Ref PrivateSubnet1
      - !Ref PrivateSubnet2
    SecurityGroupIds:
      - !Ref InterfaceSecurityGroup

privateApiGateway:
  Type: AWS::ApiGateway::RestApi
  Properties:
    Description: Private API Gateway
    EndpointConfiguration:
      Types:
        - PRIVATE
      VpcEndpointIds:
        - !Ref InterfaceEndpoint
    Name: privateApi
    Policy:
      Version: '2012-10-17'
      Statement:
        - Effect: Allow
          Principal: "*"
          Action: execute-api:Invoke
          Resource:
            - execute-api:/*
        - Effect: Deny
          Principal: "*"
          Action: execute-api:Invoke
          Resource:
            - execute-api:/*
          Condition:
            StringNotEquals:
              aws:SourceVpce: !Ref InterfaceEndpoint