By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Restrict API Gateway for IAM Users

0

Hello there,

I hope all is well with you, and I know you guys will be great at helping me with this little question -

In one of my scenarios, let's say Team A and Team B are both located in the same AWS Account. Now that I want Team A to have full access to API Gateway, I don't want them to be able to alter or change the API (Stages, Resources, and Models, among other things) that Team B created. To accomplish this, we'll use resource tags, so whichever API is created by the Team will add the resource tag, such as Team:TeamA (using by the Team A), or Team:TeamB (using by the Team B). The same applies to Team B; none of them can alter the APIs of the other but they can create new and view the all APIs, just to avoid finger-pointing.

Additionally, I tried a few IAM policies and Resources Policies (API Gateway), but I wasn't successful in getting the desired outcome.

P.S. We don't want to use Lambda or any other similar services to stop this or anything else.

If there is a solution that can deliver the desired outcome or if there is a policy that someone has already used in their account for that kind of issue, please post your response.

Thanks Rishabh

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & ComplianceManagement & Governance
Tags
Amazon API GatewayAWS IAM Identity CenterAWS Account ManagementSupport APIIAM Policies
Language
English
rePost-User-Rishabh
asked a year ago306 views
3 Answers
0

Ho, this may be what you are looking for:

https://repost.aws/knowledge-center/api-gateway-iam-cross-account

profile pictureAWS
EXPERT
Didier_Durand
answered a year ago
  • rePost-User-Rishabh
    a year ago

    Hello Didier_AWS,

    I appreciate your response, but I'm looking for a solution for my current AWS account, not for a cross-account. We're also looking for an IAM policy because we use more than 300 APIs and more than 1000 resources, making it difficult to implement resource policies for each API's resources.

0

Could you accomplish your goals by having 2 instances of API Gateway, 1 dedicated for each team? Using custom domain names and API Gateway base path mapping the two would appear as one resource externally.

profile picture
cyrk-aws
answered a year ago
  • rePost-User-Rishabh
    a year ago

    Hello cyrk,

    Thank you for your response. However, since we do not intend to have a separate domain for a small number of APIs, using a custom domain name will cost us money as well.

0

Hi,

An option could be to rely on AWS Organization SCPs and, based on tags and resources, deny certain actions.

In this way you have a very granular way of defining actions and their access.

On the other hand, responsibilities of API seem mixed between teams, so that could suggest api are not entirely context bounded and may require to revisit ownership in certain area.

Hope it helps ;)

profile picture
EXPERT
Antonio_Lagrotteria
answered a year ago
  • rePost-User-Rishabh
    a year ago

    Hello alatech,

    I appreciate your response. Since we only have one account and don't use any framework like AWS Organization, we actually need a solution that is only available for our account.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content