Control access to a REST API with API Gateway resource policies - Amazon API Gateway
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Control access to a REST API with API Gateway resource policies

Amazon API Gateway resource policies are JSON policy documents that you attach to an API to control whether a specified principal (typically an IAM role or group) can invoke the API. You can use API Gateway resource policies to allow your API to be securely invoked by:

  • Users from a specified Amazon account.

  • Specified source IP address ranges or CIDR blocks.

  • Specified virtual private clouds (VPCs) or VPC endpoints (in any account).

You can attach a resource policy for any API endpoint type in API Gateway by using the Amazon Web Services Management Console, Amazon CLI, or Amazon SDKs. For private APIs, you can use resource policies together with VPC endpoint policies to control which principals have access to which resources and actions. For more information, see Use VPC endpoint policies for private APIs in API Gateway.

API Gateway resource policies are different from IAM identity-based policies. IAM identity-based policies are attached to IAM users, groups, or roles and define what actions those identities are capable of doing on which resources. API Gateway resource policies are attached to resources. You can use API Gateway resource policies together with IAM policies. For more information, see Identity-Based Policies and Resource-Based Policies.