Controlling access to an API with API Gateway resource policies

Amazon API Gateway resource policies are JSON policy documents that you attach to an API to control whether a specified principal (typically an IAM role or group) can invoke the API. You can use API Gateway resource policies to allow your API to be securely invoked by:

• Users from a specified AWS account.

• Specified source IP address ranges or CIDR blocks.

• Specified virtual private clouds (VPCs) or VPC endpoints (in any account).

You can use resource policies for all API endpoint types in API Gateway: private, edge-optimized, and Regional.

For private APIs, you can use resource policies together with VPC endpoint policies to control which principals have access to which resources and actions. For more information, see Use VPC endpoint policies for private APIs in API Gateway.

You can attach a resource policy to an API by using the AWS Management Console, AWS CLI, or AWS SDKs.

API Gateway resource policies are different from IAM identity-based policies. IAM identity-based policies are attached to IAM users, groups, or roles and define what actions those identities are capable of doing on which resources. API Gateway resource policies are attached to resources. For a more detailed discussion of the differences between identity-based policies and resource policies, see Identity-Based Policies and Resource-Based Policies.

You can use API Gateway resource policies together with IAM policies.

Topics

• Access policy language overview for Amazon API Gateway
• How API Gateway resource policies affect authorization workflow
• API Gateway resource policy examples
• Create and attach an API Gateway resource policy to an API
• AWS condition keys that can be used in API Gateway resource policies