CODEWITHSUNDEEP
amazon-web-servicesaws-lambdaserverless
Ganesh Satpute
Ganesh Satpute

Reputation: 3941

Serverless whitelist different IPs to different functions

I'm using serverless to manage my Lambda functions.

If I have to white-list all of the functions in given Serverless deployment I could use something like this.

provider:
  name: aws
  ...
  resourcePolicy:
    - Effect: Deny
      Principal: '*'
      Action: execute-api:Invoke
      Resource:
        - execute-api:/*/*/*
      Condition:
        NotIpAddress:
          aws:SourceIp:
            - '141.206.243.10/32' # Teradata IP
            - '142.0.162.0/32'    # Eloqua IPs
    - Effect: Allow
      Principal: '*'
      Action: execute-api:Invoke
      Resource:
        - execute-api:/*/*/*

In my scenario, I have two APIs, for example

  1. GetEmployees
  2. PutEmployees

I want to restrict GetEmployees to be available from a certain IP range 1.2.3.x/24 and PutEmployees to be available from another IP range 4.5.6.x/24.

How can I accommodate this serverless.yml?

Upvotes: 2

Views: 586

Answers (1)

K Mo
K Mo

Reputation: 2155

Resource Policies are attached to API Gateways not individual paths, so you can only have one Resource Policy document per API Gateway.

But as the rules in a policy are an array of rules, you can have individual rules for different stages, paths and methods in the following format:

execute-api:/{stage}/{path}/{method}

So what you need in your Resource Policy, is to be a bit more specific.

The below example would apply the different IP restrictions to specific resources in your API for any stage and any method.

provider:
  name: aws
  ...
  resourcePolicy:
    - Effect: Allow
      Principal: '*'
      Action: execute-api:Invoke
      Resource:
        - execute-api:/*/*/*
    - Effect: Deny
      Principal: '*'
      Action: execute-api:Invoke
      Resource:
        - execute-api:/*/GetEmployees/*
      Condition:
        NotIpAddress:
          aws:SourceIp:
            - '1.2.3.x/24'
    - Effect: Deny
      Principal: '*'
      Action: execute-api:Invoke
      Resource:
        - execute-api:/*/PutEmployees/*
      Condition:
        NotIpAddress:
          aws:SourceIp:
            - '4.5.6.x/24'

Upvotes: 1

Related Questions