How to Secure Your AWS API Gateway REST API with IP Restrictions
I am here for giving wonderful knowledge to society
When building an API, securing it is critical, especially when sensitive data is involved. AWS API Gateway provides an easy-to-use platform to expose APIs, but sometimes, you need an additional layer of security. One such measure is restricting access to your API based on IP addresses. This tutorial will guide you through the process of securing your AWS API Gateway REST API using IP-based restrictions with a resource policy.
Why Restrict API Access by IP Address?
Restricting API access by IP address is essential for scenarios like:
Internal services: Ensuring that only internal applications or trusted servers can access your API.
Enhanced security: Protecting your API from unauthorized access and potential attacks from the public internet.
AWS provides a simple way to manage this by using resource policies in API Gateway. In this blog, we’ll walk you through applying these policies to restrict access based on trusted IPs, ensuring that only authorized users or systems can interact with your API.
Step 1: Create a Simple Lambda Function
To integrate with API Gateway, you need a Lambda function. Here’s a basic example that returns a greeting message.
1. Create a Lambda Function:
- Open the AWS Lambda Console.
Click Create function.
Choose Author from scratch.
Enter a function name (e.g., test).
Select Runtime: Node.js 18.x.
Choose an execution role (or create a new role with basic Lambda permissions).
Click Create function.
2. Add the Following Code:
exports.handler = async (event) => {
return {
statusCode: 200,
body: JSON.stringify({ message: "Hello from Lambda" })
};
};
3. Save and Deploy the Lambda Function:
Click Deploy.
Copy the function name (test) and use it in API Gateway integration.
Step 2: Create a REST API in AWS API Gateway
If you haven’t already set up your API, let’s create a REST API in API Gateway.
1. Log into AWS Console:
Open the AWS Management Console and navigate to API Gateway.
2. Create a New REST API:
Click Create API.
Choose REST API and then click Build.
Select New API, give it a name (e.g.,
MyRestApi), and set the Endpoint Type to Regional (or Edge-Optimized).Click Create API.
3. Create a Resource:
Select your new API and click on Actions → Create Resource.
Enter a name for the resource (e.g.,
hello) and create it.
4. Create a Method for the Resource:
Select the newly created resource and click on Actions → Create Method.
Choose GET as the HTTP method and Lambda Function for the integration type.
Specify the Lambda function (see next step for Lambda function creation) or create a simple one that returns a greeting message.
5. Deploy the API:
- Go to Actions → Deploy API, give a name of your stage, and click Deploy.
You’ll get an Invoke URL such as:
https://<api-id>.execute-api.<region>.amazonaws.com/prod/
Hit this on browser
Step 3: Apply a Resource Policy to Restrict Access by IP Address
Now, let’s add an IP-based access control policy to ensure only specific IPs can access your API.
1. Go to Permissions:
- In the API Gateway Console, select your API (
MyRestApi).
2. Edit the Resource Policy:
Click on Edit Resource Policy in the Resource Policy section.
Add the following JSON policy to restrict access based on IP addresses:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:382541523649:fx9ahfz5xl/*/*/*"
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:382541523649:fx9ahfz5xl/*/*/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"104.128.65.174",
"103.136.92.22"
]
}
}
}
]
}
Allow Statement: Grants access to the
GET /helloendpoint from trusted IP addresses.Deny Statement: Denies access from all other IPs (
0.0.0.0/0).
3. Save the Policy:
- Click Save to apply the changes.
Step 4: Test the API Access Control
1. Test with Trusted IPs:
If you’re using one of the allowed IP addresses, send a request:
curl https://<api-id>.execute-api.<region>.amazonaws.com/prod/hello
You should receive a response like:
{
"message": "Hello from Lambda"
}
2. Test with Unauthorized IPs:
Send a request from an IP outside the allowed list. You should receive a 403 Forbidden response.
Step 5: Monitor and Adjust Access as Needed
1. Monitor API Access:
Enable CloudWatch Logs for your API Gateway methods to track access requests, including IP addresses and response codes. This helps you monitor any unauthorized access attempts.
2. Update IP Ranges:
If your trusted IPs change, you can easily update the resource policy to add or remove IP ranges.
