How safe is a proxy with resource policy based to restrict access to backend?

Resource-based policies are attached to a resource. For example, you can attach resource-based policies to Amazon S3 buckets, Amazon SQS queues, VPC endpoints, and AWS Key Management Service encryption keys. With resource-based policies, you can specify who has access to the resource and what actions they can perform on it.

Resource-based policies are JSON policy documents that you attach to a resource such as an Amazon S3 bucket. These policies grant the specified principal permission to perform specific actions on that resource and defines under what conditions this applies. Resource-based policies are inline policies. There are no managed resource-based policies.

[+] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html

aws:SourceIp key is used to compare the requester's IP address with the IP address that you specify in the policy. The aws:SourceIp condition key can only be used for public IP address ranges. The aws:SourceIp condition key can be used in a policy to allow principals to make requests only from within a specified IP range.

[+] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip

IAM resource-based policies primarily focus on controlling access to AWS resources based on various attributes such as principal (e.g., IAM user or role), action, resource, and conditions. However, they do not have built-in mechanisms to detect spoofed IP addresses. Detecting spoofed IP addresses typically requires network-level protections such as firewalls, intrusion detection/prevention systems, or network traffic analysis tools.