AWS Resource policy on API Gateway

Question

I'm trying to use Resource Policy IP whitelisting to protect API Gateway. I have following questions and am not able to find public doc for these:

Can I make resource policy only effect to a specific stage's API gateway? If yes, how?
How much time does propagation need after I make a change on the policy?
Can Resource Policy be used on API with protocol WebSocket and endpoint type Regional? (Looks like not, I don't see option of it)
Does Resource Policy have version control? (looks like it does not)

Thanks

Arun Kamalanathan · Accepted Answer

Can I make resource policy only effect to a specific stage's API gateway? If yes, how? yes, example from aws docs.

{
  "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": [
            "arn:aws:iam::account-id-2:user/Alice",
            "account-id-2"
          ]
        },
        "Action": "execute-api:Invoke",
        "Resource": [
          "arn:aws:execute-api:region:account-id-1:api-id/stage/*"
        ]
      }
    ]
}

How much time does propagation need after I make a change on the policy?

you need to deploy the api again, you can do it from aws console

Can Resource Policy be used on API with protocol WebSocket and endpoint type Regional? (Looks like not, I don't see option of it)

i don't see why not, whatever the type you choose, it is still powered by API Gateway.

Does Resource Policy have version control? (looks like it does not)

Looks like it does not

AWS Resource policy on API Gateway

Answers (1)

Related Questions