0

My understanding is that controlling IP address access to AWS api-gateway is via Resource policies.

This does not sound ideal as it would involve deploying the API each time new access was required (change control issues). Can this access not be decoupled from the API element and added to the VPC access list policy?

In summary, is there a way to control API Gateway access via Network access lists in a VPC?

nipy
  • 107
  • 2

1 Answers1

1

To answer your direct question, No, you can not control access to API Gateway via NACL's

There are five ways to control access to API Gateway. If it is a private api you can create an Endpoint Policy [4]. If it is public then you use can use 2,5 or 6 below or setup AWS WAF and define the IP addresses there.

  1. Resource policies
  2. Standard AWS IAM roles and policies
  3. IAM tags
  4. Endpoint Policies for Interface VPC Endpoints
  5. Lambda authorizers
  6. Amazon Cognito user pools

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html

strongjz
  • 822
  • 4
  • 7