- Newest
- Most votes
- Most comments
It is possible through the use of resource policies. Here is an article on how to achieve it. Note: Resource policies are currently only supported by REST APIs. HTTP APIs currently do not support this feature.
For more complex access control mechanisms, API Gateway Lambda authorizers enable you to implement custom authorization schemes. This may be an option if resources policies do not fit your use case. Here are some blueprints in various programming languages that may help you get started.
Please let me know if this answers your question, or if I should provide clarification.
Thanks, Israel.
Hi,
Follow this detailled guidance to restrict access to your API gateway to certains IP addresses only: https://repost.aws/knowledge-center/api-gateway-resource-policy-access
Best
DIdier
Yes, I'm focused exactly on the resource policy, but the problem is that for that I need to filter the origin endpoint, since if the default endpoint is enabled, the resource policy doesn't know if the call came through it, or through the the custom domain. Is there any way to put this condition in the resource policy? What would be the URL that was called?
Just so you understand my needs, I need the same API to be accessed using the custom domain (with mTLS active), but I also need that internally (in a restricted way) I can access it without mTLS. I wouldn't want to have to create 2 identified APIs just for this purpose.
Guys, I found the solution and would like to share it. I created a new custom domain and a new stage, I linked this domain to my api and this new stage. I placed the name resolution in the private profile of my domain (But it could also be in the public profile, but the private one already serves me), and by applying the resource policy I can filter by this stage. As only that domain is linked to this stage, I can know where the call is coming from and apply the IP policy.
Thanks for the help guys.
Relevant content
- Accepted Answerasked 8 months ago
- asked 6 months ago
- Accepted Answer
asked 3 years ago - asked 3 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 6 months ago
Yes, I'm focused exactly on the resource policy, but the problem is that for that I need to filter the origin endpoint, since if the default endpoint is enabled, the resource policy doesn't know if the call came through it, or through the the custom domain. Is there any way to put this condition in the resource policy? What would be the URL that was called?
Just so you understand my needs, I need the same API to be accessed using the custom domain (with mTLS active), but I also need that internally (in a restricted way) I can access it without mTLS. I wouldn't want to have to create 2 identified APIs just for this purpose.