Use VPC endpoint policies for private APIs in API Gateway
You can improve the security of your private APIs by configuring API Gateway to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access AWS services by using private IP addresses. For more information about creating VPC endpoints, see Creating an Interface Endpoint.
A VPC endpoint policy is an IAM resource policy that you can attach to an interface VPC endpoint to control access to the endpoint. For more information, see Controlling Access to Services with VPC Endpoints. You can use an endpoint policy to restrict the traffic going from your internal network to access your private APIs. You can choose to allow or disallow access to specific private APIs that can be accessed through the VPC endpoint.
VPC endpoint policies can be used together with API Gateway resource policies. The resource policy is used to specify which principals can access the API. The endpoint policy specifies which private APIs can be called via the VPC endpoint. For more information about resource policies, see Controlling access to an API with API Gateway resource policies.
VPC endpoint policy considerations
If a policy restricts access to specific IAM principals, you must set the
authorizationType
of the method toAWS_IAM
orNONE
.-
The identity of the invoker is evaluated based on the
Authorization
header value. Depending on yourauthorizationType
, this may lead to an403 IncompleteSignatureException
or an403 InvalidSignatureException
error. The following table shows theAuthorization
header values for eachauthorizationType
.
VPC endpoint policy examples
You can create policies for Amazon Virtual Private Cloud endpoints for Amazon API Gateway in which you can specify:
-
The principal that can perform actions.
-
The actions that can be performed.
-
The resources that can have actions performed on them.
To attach the policy to the VPC endpoint, you'll need to use the VPC console. For more information, see Controlling Access to Services with VPC Endpoints.
Example 1: VPC endpoint policy granting access to two APIs
The following example policy grants access to only two specific APIs via the VPC endpoint that the policy is attached to.
{ "Statement": [ { "Principal": "*", "Action": [ "execute-api:Invoke" ], "Effect": "Allow", "Resource": [ "arn:aws:execute-api:
us-east-1
:123412341234
:a1b2c3d4e5
/*", "arn:aws:execute-api:us-east-1
:123412341234
:aaaaa11111
/*" ] } ] }
Example 2: VPC endpoint policy granting access to GET methods
The following example policy grants users access to GET
methods for a
specific API via the VPC endpoint that the policy is attached to.
{ "Statement": [ { "Principal": "*", "Action": [ "execute-api:Invoke" ], "Effect": "Allow", "Resource": [ "arn:aws:execute-api:
us-east-1
:123412341234
:a1b2c3d4e5
/stageName
/GET/*" ] } ] }
Example 3: VPC endpoint policy granting a specific user access to a specific API
The following example policy grants a specific user access to a specific API via the VPC endpoint that the policy is attached to.
{ "Statement": [ { "Principal": { "AWS": [ "arn:aws:iam::123412341234:user/
MyUser
" ] }, "Action": [ "execute-api:Invoke" ], "Effect": "Allow", "Resource": [ "arn:aws:execute-api:us-east-1
:123412341234
:a1b2c3d4e5
/*" ] } ] }