I know this is the resource policy to be returned by a REST API authorizer to authorize endpoint arn:aws:execute-api:us-west-2:123456789012:ymy8tbxw7b/dev/GET/
{
"principalId": "user",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": "arn:aws:execute-api:us-west-2:123456789012:ymy8tbxw7b/dev/GET/"
}
]
}
}
I have a proxy resource as arn:aws:execute-api:{region}:{accountid}:{apiid}///tnaapi/{proxy+}
{
"principalId": "user",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": "arn:aws:execute-api:us-west-2:123456789012:ymy8tbxw7b/*/*/tnaapi/{proxy+}"
}
]
}
}
If I set this as "Resource" in a resource policy and return from the authorizer, I'm not allowed to tnaapi/aaaa/bbb endpoints. How can I solve that?