API Gateway Resource Policy Not Working - IP Address Allow List

Question

API Gateway Experts, I want to invoke an API that triggers a lambda function to create a SageMaker instance pre-signed URL. They would like to deny access to the API to only a particular user’s source IP address. I have provide the YAML used to deploy this, but it is still allowing all other IP addresses to interact with the API even with the resource policy. What am I missing?

```
  ApiGatewayRestApi:
    Type: AWS::ApiGateway::RestApi
    Properties:
      ApiKeySourceType: HEADER
      Description: An API Gateway with a Lambda Integration
      EndpointConfiguration:
        Types:
          - EDGE
      Name: lambda-sagemaker-presigned-url-api
      Policy: !Sub |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Deny",
              "Principal": "*",
              "Action": "execute-api:Invoke",
              "Resource": "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:*/${APIGatewayStageName}/*/*",
              "Condition": {
                "NotIpAddress": {
                  "aws:SourceIp": "${YourIPAddress}"
                }
              }
            },
            {
              "Effect": "Allow",
              "Principal": "*",
              "Action": "execute-api:Invoke",
              "Resource": "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:*/${APIGatewayStageName}/*/*"
            }
          ]
        }
```

Chris Pollard · Answer

Hey Derek, It looks like the resource you're limiting has a Stage in it. Can you please try the policy with a `*` in place of `${APIGatewayStageName}`?

API Gateway Resource Policy Not Working - IP Address Allow List

Relevant content