API Gateway Experts, I want to invoke an API that triggers a lambda function to create a SageMaker instance pre-signed URL. They would like to deny access to the API to only a particular user’s source IP address. I have provide the YAML used to deploy this, but it is still allowing all other IP addresses to interact with the API even with the resource policy. What am I missing?
ApiGatewayRestApi:
Type: AWS::ApiGateway::RestApi
Properties:
ApiKeySourceType: HEADER
Description: An API Gateway with a Lambda Integration
EndpointConfiguration:
Types:
- EDGE
Name: lambda-sagemaker-presigned-url-api
Policy: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:*/${APIGatewayStageName}/*/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "${YourIPAddress}"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:*/${APIGatewayStageName}/*/*"
}
]
}