Description :
Amazon API Gateway is an AWS service for creating, publishing, maintaining, monitoring, and securing REST, HTTP, and WebSocket APIs at any scale. API developers can create APIs that access AWS or other web services, as well as data stored in the AWS Cloud. As an API Gateway API developer, you can create APIs for use in your own client applications. This policy checks that non-private API GW have a resource-based policy that limits their usage based on IP source
Rationale :
API Gateway if restricted to a particular set of IP addresses helps to control access and reduces the chance of any security risks caused by any party which is not accessing from the set of whitelisted IP addresses.
Impact:
Users who call the API from specified IP addresses (allowed users) can access the API. Calls from any other IP addresses are denied access and receive an HTTP 403 Forbidden error.
Default Value:
By default, the API Gateway is not restricted.
Pre-Requisites:
IAM user with required permissions.
Remediation:
Test Plan:
Login to AWS management console
Go to API Gateway at https://console.aws.amazon.com/apigateway
Click on APIs in the left navigation pane
- Select the API you want to examine.
- In the left panel Click on the Resource policy option.
- In the Resource policy check if any source-IPs is/are mentioned, if it is not mentioned then the API Gateway is not restricted to Source IPs.
Implementation steps:
Login to AWS management console
Go to API Gateway at https://console.aws.amazon.com/apigateway.
Click on APIs in the left navigation pane
- Select the REST API you want to examine.
- Click on the Resource Policy under the API you opened.
- In the Resource policy add the following command:
"Condition": { "NotIpAddress": { "aws:SourceIp": ["sourceIpOrCIDRBlock1", "sourceIpOrCIDRBlock2"] }
7. For aws: SourceIp, replace the sourceIpOrCIDRBlock value with the specific IP addresses that you want to grant access to. You can also specify a range of IP addresses using CIDR notation.
Backout Plan:
Login to AWS management console
Go to API Gateway at https://console.aws.amazon.com/apigateway.
Click on APIs in the left navigation pane.
Select the REST API you want to examine.
Click on the Resource Policy under the API you opened.
In the Resource, policy remove the sourceIp clause.
Note:
The aws:SourceIp condition value works only for public IP address ranges. To allow access to private IP address ranges, use the condition value aws:VpcSourceIp instead.
References :
https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-resource-policy-access/.