Access policy language overview for Amazon API Gateway - Amazon API Gateway

Access policy language overview for Amazon API Gateway

This page describes the basic elements used in Amazon API Gateway resource policies.

Resource policies are specified using the same syntax as IAM policies. For complete policy language information, see Overview of IAM Policies and AWS Identity and Access Management Policy Reference in the IAM User Guide.

For information about how an AWS service decides whether a given request should be allowed or denied, see Determining Whether a Request is Allowed or Denied.

Common elements in an access policy

In its most basic sense, a resource policy contains the following elements:

  • Resources – APIs are the Amazon API Gateway resources for which you can allow or deny permissions. In a policy, you use the Amazon Resource Name (ARN) to identify the resource. You can also use abbreviated syntax, which API Gateway automatically expands to the full ARN when you save a resource policy. To learn more, see API Gateway resource policy examples.

    For the format of the full Resource element, see Resource format of permissions for executing API in API Gateway.

  • Actions – For each resource, Amazon API Gateway supports a set of operations. You identify resource operations that you will allow (or deny) by using action keywords.

    For example, the execute-api:Invoke permission will allow the user permission to invoke an API upon a client request.

    For the format of the Action element, see Action format of permissions for executing API in API Gateway.

  • Effect – What the effect is when the user requests the specific action—this can be either Allow or Deny. You can also explicitly deny access to a resource, which you might do in order to make sure that a user cannot access it, even if a different policy grants access.


    "Implicit deny" is the same thing as "deny by default".

    An "implicit deny" is different from an "explicit deny". For more information, see The Difference Between Denying by Default and Explicit Deny.

  • Principal – The account or user allowed access to the actions and resources in the statement. In a resource policy, the principal is the user or account who receives this permission.

The following example resource policy shows the previous common policy elements. The policy grants access to the API under the specified account-id in the specified region to any user whose source IP address is in the address block The policy denies all access to the API if the user's source IP is not within the range.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:region:account-id:*" }, { "Effect": "Deny", "Principal": "*", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:region:account-id:*", "Condition": { "NotIpAddress": { "aws:SourceIp": "" } } } ] }