0

I have setup the follow resource policy in api gateway to restrict access to a source IP (x is just a placeholder). When I manually hit the api endpoint from postman the policy correctly restricts access only to the cidr range I specified in the resource policy below. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:x:x/*/*/*”
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-east-1:x:x/*/*/*”,
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        “x.x.x.x/32"
                    ]
                },
                "StringNotEquals": {
                    "aws:sourceVpc": "vpc-x”
                }
            }
        }
    ]
}

However, I have a lambda function which also calls the same https api gateway endpoint. This function essentially just passes test data into my api at hourly intervals. But, the lambda function is unable to hit the endpoint and gets a 403 forbidden error. I tried adding the sourceVpc to the resource policy, but this did not seem to work. I also tried adding the vpc cidr range too, but again this did not work.

Do you know what cidr I should add to the resource policy to allow my lambda to call my api endpoint too?

Freid001
  • 2,580
  • 3
  • 29
  • 60
  • 1
    you likely need to go back to the drawing board. You can do this, if you add lambda to a VPC then restrict access to the API from only that VPC...otherwise lambda is on a public internet subnet, and you would open yourself up WAY too much to restrict all lambda CIDRs – LostJon Feb 06 '20 at 12:42
  • 2
    VPC restrictions in an API resource policy are only supported if the API is private (being accessed through a VPC endpoint). https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpc – Suraj Bhatia Feb 06 '20 at 15:04

1 Answers1

1

I added to the resource policy "aws:SourceIp" the NAT gateway ip of the subnets associated with my lambda function. This allowed my lambda function to invoke the API Gateway successfully.

Freid001
  • 2,580
  • 3
  • 29
  • 60