2

I need to write a WAF rule such that access to API gateway is blocked for the users of other AWS accounts.

for now, I'm exploring the implementation of WAF but I have managed to create CfnWebCl with a rule statement to be ipSetReferenceStatement such that I'm creating an IP set of the allowed ips, but that's not what I want, I want the users of other aws accounts here's sample code.

this.commserviceAllowedIpSet = new CfnIPSet(this, 'commservice-allowedIps', {
  name: 'allowed ips',
  ipAddressVersion: 'IPV4',
  addresses: [],
  scope: 'REGIONAL',
});

this.commserviceWebAcl = new CfnWebACL(this, 'commservice-webacl', {
  defaultAction: {
    block: {},
  },
  visibilityConfig: {
    cloudWatchMetricsEnabled: true,
    metricName: 'commservice-webacl',
    sampledRequestsEnabled: true,
  },
  scope: 'REGIONAL',
  rules: [
    {
      statement: {
        ipSetReferenceStatement: {
          arn: this.commserviceAllowedIpSet.attrArn,
        },
      },
      name: 'abc',
      priority: 0,
      visibilityConfig: {
        cloudWatchMetricsEnabled: true,
        metricName: 'allowed-requests',
        sampledRequestsEnabled: true,
      },
    },
  ],
});

is there any other rule statement that I can use other than ipSetReferencesStatement? apologies if the question is not clear.

neuro
  • 14,948
  • 3
  • 36
  • 59
Jawad
  • 313
  • 4
  • 16
  • The configurable statements are listed [here](https://docs.aws.amazon.com/waf/latest/APIReference/API_Statement.html). This does not include anything related to the AWS account of the requester. – jarmod Jul 03 '21 at 00:02
  • How did it go? Is it still unclear what you can do? – Marcin Jul 05 '21 at 22:15

1 Answers1

0

You can't do this with WAF. The proper way to do is using API Gateway resource policies. By writing such a policy, you can restrict access to the API only to your own account.

Marcin
  • 215,873
  • 14
  • 235
  • 294