{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 来,给爷笑一个 的问题《How can I make an IP/VPC whitelist for an API in A》','https://www.manongdao.com/q-734486.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
We have an API in API Gateway connected to a lambda function. The API has three stages (Dev/Stage/Prod), an API key (required) and a usage plan (connected to all three stages).
We're trying to restrict traffic to this API so that Stage/Prod is only accessible from our servers from within our VPC, and Dev is only accessible from our office IP. We have tried using the Resource Policy below, but it doesn't work. Stage/Prod is still accessible from our office IP.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-west-1:{{accountId}}:{{apiId}}/*"
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": [
"arn:aws:execute-api:eu-west-1:{{accountId}}:{{apiId}}/Stage",
"arn:aws:execute-api:eu-west-1:{{accountId}}:{{apiId}}/Prod"
],
"Condition": {
"StringNotEquals": {
"aws:SourceVpc": "{{vpcId}}"
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-west-1:{{accountId}}:{{apiId}}/Dev",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "{{ipAddress}}"
}
}
}
]
}
We have replaced our real values with handlebars {{}}.
What are we doing wrong? Cheers!