- Newest
- Most votes
- Most comments
Regarding AWS API Gateway authorization flow, here's how the process works:
-
Resource Policy Evaluation: The resource policy is evaluated first, before any other authorization checks. If the request IP is not in the allowed list in your resource policy, the request will be denied at this stage and will not reach the Lambda authorizer.
-
Lambda Authorizer: The Lambda authorizer is only invoked if the resource policy allows the request to proceed.
So, to directly answer your question:
If a request comes from an IP address not specified in your resource policy's allow list, it will be denied at the resource policy level. The request will not reach the Lambda authorizer.
This behavior is efficient as it prevents unnecessary Lambda invocations for requests that would be denied anyway, saving both time and potential costs.
Remember, it's generally a good practice to implement defense in depth. While the resource policy provides the first line of defense, the Lambda authorizer can provide additional, more fine-grained access control if needed.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IPRestrictedExecuteAPIGateway",
"Effect": "Allow",
"Principal": {
"AWS": ""
}, "Action": "execute-api: Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:<>acc_no: acc_no//",
"Condition": {
"IpAddress": {
"aws: SourceIp": [
<some ip's>
I have been using this as my api gateway resource policy and it has a lambda authorizer enabled .when I call the api from other api it's actually hitting the lambda authorizer. Since the policy comes under neither allow nor deny its hitting the lambda auth and api is giving
In your scenario with a public API Gateway that has both a resource policy and a Lambda authorizer, the authorization flow will follow a specific order:
-
Resource Policy Evaluation: When a request comes in, API Gateway first evaluates the resource policy. This happens before the Lambda authorizer is invoked.
-
Explicit Deny Check: During this initial evaluation, API Gateway checks for any explicit denies in the resource policy. If an explicit deny is found that matches the incoming request (in this case, if the IP address is not in the list of allowed IPs), the request will be denied immediately at this stage.
-
Lambda Authorizer: If there is no explicit deny in the resource policy, only then will the request proceed to the Lambda authorizer.
Given your setup:
-
If a request comes from an IP address that is not explicitly allowed in your resource policy, it will be denied at the resource policy level itself. The request will not reach the Lambda authorizer.
-
Only requests from IP addresses that are allowed by the resource policy will proceed to the Lambda authorizer for further authentication and authorization.
This two-phase evaluation ensures that the resource policy acts as a first line of defense, filtering out requests that don't meet the basic criteria (in this case, originating from allowed IP addresses) before invoking the potentially more complex and resource-intensive Lambda authorizer.
It's important to note that this approach can help optimize your API's performance and reduce unnecessary Lambda invocations, as requests that don't meet the resource policy requirements are rejected early in the process.
Sources
How API Gateway resource policies affect authorization workflow - Amazon API Gateway
Use API Gateway Lambda authorizers - Amazon API Gateway
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IPRestrictedExecuteAPIGateway",
"Effect": "Allow",
"Principal": {
"AWS": ""
}, "Action": "execute-api: Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:<>acc_no: acc_no//",
"Condition": {
"IpAddress": {
"aws: SourceIp": [
<some ip's>
I have been using this as my api gateway resource policy and it has a lambda authorizer enabled .when I call the api from other api it's actually hitting the lambda authorizer. Since the policy comes under neither allow nor deny its hitting the lambda auth and api is giving 200
Can anyone help here again