2

I have configured an API Gateway endpoint in AWS, and am trying to secure it using its access policy.

I am aware that it's possible to limit the access of the endpoint to specific IP addresses, but is it also possible to restrict access based on the host that is calling the API? AWS has docs on examples of these access policies, as shown below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
                "arn:aws:execute-api:region:account-id:api-id/*"
            ]
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
               "arn:aws:execute-api:region:account-id:api-id/*"
            ],
            "Condition" : {
                "IpAddress": {
                    "aws:SourceIp": ["192.0.2.0/24", "198.51.100.0/24" ]
                }
            }
        }
    ]
}

For example, I have an application www.example.com. I want to add something in the access policy to only allow www.example.com to successfully submit a request to the API.

Draken
  • 3,134
  • 13
  • 34
  • 54
himi64
  • 1,069
  • 3
  • 12
  • 23
  • Are you talking about the API requests coming from the server that www.example.com is hosted on? Or is this a JavaScript webapp running in visitor's web browsers where the API requests would actually be coming from each end-users computer, not the www.example.com server? – Mark B Sep 18 '18 at 13:27
  • The request would actually be coming from a JS webapp. The webapp is running on www.example.com. Hope this clarifies things. – himi64 Sep 18 '18 at 13:32
  • A javascript webapp doesn't "run on www.example.com" it loads from www.example.com and runs in the web browser on each user's computer. Thus, the IP and/or hostname would not be something you would be able to whitelist since it would be the ip/hostname of every potential user's personal computer. – Mark B Sep 18 '18 at 13:34
  • I understand, that makes sense. For my understanding, what if the requests were coming directly from the server that www.example.com were running on? Would I be correct in assuming the IP that the server is running on can be used to secure the API? – himi64 Sep 18 '18 at 13:53
  • 1
    Yes if the requests were coming from the server, then obviously you could just white-list that server's IP. However if you are using API Gateway to provide an API for a web app to make AJAX style calls from the browser, then this sort of security method won't work at all and you should look into using API keys or JWT tokens or something instead. – Mark B Sep 18 '18 at 13:57
  • Great, I'll look into that. Thanks a lot for your help! – himi64 Sep 18 '18 at 14:26

2 Answers2

0

I am not sure if you're still trying to resolve this problem, but I don't think you are able to handle URL whitelisting at the API Gateway level.

Here are the possible API Gateway resource policies listed in the AWS docs:

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-aws-condition-keys.html

Vinicius Barros
  • 91
  • 5
0

Could you not just use an API KEY that those specific hosts or host can use to gain access to the API?

Cloud W.
  • 181
  • 5
  • Within that hosts environment, you could store the API KEY inside secret manager or whatever tool you want and just make a call to get the API key and access the API GATEWAY. – Cloud W. Sep 09 '19 at 17:12