How to whitelist IAM access to APIGateway based on policy

Question

I have a method enabled with AuthorizationType: AWS_IAM in ApiGateway. This works when I supply an AccessKey and SecretKey for an IAM user with the programmatic access policy in the header, however this is only half the desired outcome.

Is there a way to further extend this Authorization to only allow IAM users that have a policy attached for the specific API Gateway method?

My initial thought was to have a resource policy on the API Gateway to deny all requests and then assign method access policies to specific IAM Users to override that, but according to the Policy Evaluation Logic documentation any resource with an explicit deny overrides the one with the allow.

Is it possible to restrict API Gateway methods to only the IAM users that have an allow policy for the method, aka "whitelist"?

Answer 1

You can attach the IAM policy that allows a user to invoke a particular api method. The user cannot invoke the api endpoint without the permissions to invoke.

For testing, I have created a user with no permissions and I have received the below error.

{
    "Message": "User: arn:aws:iam::********1111:user/test-api-gateway-iam-auth is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:ap-southeast-2:********1111:b2r0m0gev9/test/GET/"
}

I have attached the following policy to an IAM user. The policy allowed the user to invoke a particular api method.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "execute-api:Invoke"
            ],
            "Resource": [
                "arn:aws:execute-api:ap-southeast-2:********1111:xxx/test/GET/"
            ]
        }
    ]
}