AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Restrict API Gateway for IAM Users

0

Hello there,

I hope all is well with you, and I know you guys will be great at helping me with this little question -

In one of my scenarios, let's say Team A and Team B are both located in the same AWS Account. Now that I want Team A to have full access to API Gateway, I don't want them to be able to alter or change the API (Stages, Resources, and Models, among other things) that Team B created. To accomplish this, we'll use resource tags, so whichever API is created by the Team will add the resource tag, such as Team:TeamA (using by the Team A), or Team:TeamB (using by the Team B). The same applies to Team B; none of them can alter the APIs of the other but they can create new and view the all APIs, just to avoid finger-pointing.

Additionally, I tried a few IAM policies and Resources Policies (API Gateway), but I wasn't successful in getting the desired outcome.

P.S. We don't want to use Lambda or any other similar services to stop this or anything else.

If there is a solution that can deliver the desired outcome or if there is a policy that someone has already used in their account for that kind of issue, please post your response.

Thanks Rishabh

주제
서버리스프론트엔드 웹 및 모바일네트워킹 및 콘텐츠 전송보안, 신원 및 규정 준수관리 및 거버넌스
태그
아마존 API 게이트웨이AWS IAM 자격 증명 센터AWS 계정 관리지원 APIIAM 정책
언어
English
rePost-User-Rishabh
질문됨 일 년 전316회 조회
3개 답변
0

Ho, this may be what you are looking for:

https://repost.aws/knowledge-center/api-gateway-iam-cross-account

profile pictureAWS
전문가
Didier_Durand
답변함 일 년 전
  • rePost-User-Rishabh
    일 년 전

    Hello Didier_AWS,

    I appreciate your response, but I'm looking for a solution for my current AWS account, not for a cross-account. We're also looking for an IAM policy because we use more than 300 APIs and more than 1000 resources, making it difficult to implement resource policies for each API's resources.

0

Could you accomplish your goals by having 2 instances of API Gateway, 1 dedicated for each team? Using custom domain names and API Gateway base path mapping the two would appear as one resource externally.

profile picture
cyrk-aws
답변함 일 년 전
  • rePost-User-Rishabh
    일 년 전

    Hello cyrk,

    Thank you for your response. However, since we do not intend to have a separate domain for a small number of APIs, using a custom domain name will cost us money as well.

0

Hi,

An option could be to rely on AWS Organization SCPs and, based on tags and resources, deny certain actions.

In this way you have a very granular way of defining actions and their access.

On the other hand, responsibilities of API seem mixed between teams, so that could suggest api are not entirely context bounded and may require to revisit ownership in certain area.

Hope it helps ;)

profile picture
전문가
Antonio_Lagrotteria
답변함 일 년 전
  • rePost-User-Rishabh
    일 년 전

    Hello alatech,

    I appreciate your response. Since we only have one account and don't use any framework like AWS Organization, we actually need a solution that is only available for our account.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠