API Gateway resource policy examples
This page presents a few examples of typical use cases for API Gateway resource policies.
The following example policies use a simplified syntax to specify the API resource.
This simplified syntax is an abbreviated way that you can refer to an API resource,
instead of specifying the full Amazon Resource Name (ARN). API Gateway converts the
abbreviated syntax to the full ARN when you save the policy. For example, you can
specify the resource
execute-api:/
in a resource policy. API Gateway converts the resource to
stage-name
/GET
/pets
arn:aws:execute-api:us-east-2:123456789012:aabbccddee/stage-name/GET/pets
when you save the resource policy. API Gateway builds the full ARN by using the current
Region, your AWS account ID, and the ID of the REST API that the resource
policy is associated with. You can use execute-api:/*
to represent all
stages, methods, and paths in the current API. For information about access policy
language, see Access policy
language overview for Amazon API Gateway.
Topics
Example: Allow roles in another AWS account to use an API
The following example resource policy grants API access in one AWS account to two roles in a different
AWS account via Signature Version 4 (SigV4) protocols.
Specifically, the developer and the administrator role for the AWS account identified by
are granted the account-id-2
execute-api:Invoke
action
to execute the GET
action on the pets
resource (API) in your AWS account.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::
account-id-2
:role/developer", "arn:aws:iam::account-id-2
:role/Admin" ] }, "Action": "execute-api:Invoke", "Resource": [ "execute-api:/stage
/GET/pets" ] } ] }
Example: Deny API traffic based on source IP address or range
The following example resource policy denies (blocks) incoming traffic to an API from two specified source IP address blocks.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "execute-api:Invoke", "Resource": [ "execute-api:/*" ] }, { "Effect": "Deny", "Principal": "*", "Action": "execute-api:Invoke", "Resource": [ "execute-api:/*" ], "Condition" : { "IpAddress": { "aws:SourceIp": ["
192.0.2.0/24
", "198.51.100.0/24
" ] } } } ] }
Example: Deny API traffic based on source IP address or range when using a private API
The following example resource policy denies (blocks) incoming traffic to a
private API from two specified source IP address blocks. When using private APIs,
the VPC endpoint for execute-api
re-writes the original source IP
address. The aws:VpcSourceIp
condition filters the request against the
original requester IP address.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "execute-api:Invoke", "Resource": [ "execute-api:/*" ] }, { "Effect": "Deny", "Principal": "*", "Action": "execute-api:Invoke", "Resource": [ "execute-api:/*" ], "Condition" : { "IpAddress": { "aws:VpcSourceIp": ["
192.0.2.0/24
", "198.51.100.0/24
"] } } } ] }
Example: Allow private API traffic based on source VPC or VPC endpoint
The following example resource policies allow incoming traffic to a private API only from a specified virtual private cloud (VPC) or VPC endpoint.
This example resource policy specifies a source VPC:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "execute-api:Invoke", "Resource": [ "execute-api:/*" ] }, { "Effect": "Deny", "Principal": "*", "Action": "execute-api:Invoke", "Resource": [ "execute-api:/*" ], "Condition" : { "StringNotEquals": { "aws:SourceVpc": "
vpc-1a2b3c4d
" } } } ] }
This example resource policy specifies a source VPC endpoint:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "execute-api:Invoke", "Resource": [ "execute-api:/*" ] }, { "Effect": "Deny", "Principal": "*", "Action": "execute-api:Invoke", "Resource": [ "execute-api:/*" ], "Condition" : { "StringNotEquals": { "aws:SourceVpce": "
vpce-1a2b3c4d
" } } } ] }