The page has been translated by Gen AI.
Resource-based Policy
Resource-based Policy Overview
API Gateway’s Resource-based Policy is a policy granted to a resource that allows you to decide whether to allow or deny (Effect) actions on specific resources to principals. Using resource-based policies, you can directly define the principals that can call the API.
Note
While general IAM policies (Identity-based) grant permissions to users, resource-based policies are applied to the API itself to allow external access.
Through resource-based policies, you can allow secure API calls by defining the following:
- Users of specific Samsung Cloud Platform accounts
- Specific source IP address ranges or CIDR blocks
Source policies are defined as JSON policy documents attached to an API to control whether a specified security principal (usually an IAM role or group) can call the API.
| Item | Description | Example |
|---|---|---|
| Principal | Specify the principal that will call the API | - |
| Action | Define the functions to allow | - |
| Condition | Restrict to allow only in specific situations | Allow only requests from specific SRN |
Table. Entities that control API call permission
Note
- API Gateway’s resource-based policy utilizes the rules of IAM’s resource-based policy.
- For instructions on creating or modifying policies using JSON, see JSON Writing Guide.
Resource-based Policy Usage Scenarios
The main usage scenarios for resource-based policies are as follows:
Resource-based Policy Scenarios
The resource-based policy scenarios used when specific features of API Gateway operate are as follows:
| Item | Description | Reference Example |
|---|---|---|
| Default Policy | This is the DEFAULT resource policy that is automatically created when an API is created.
| Default Policy Example |
| Account Allow List | You can define the account(s) that can call the API. | Account Allow List Example |
| IP Range Deny List | You can define the IP ranges that cannot call the API. | IP Range Deny List Example |
Table. Resource-based policy scenarios
Additional User Usage Scenarios
While not automatically registered by API Gateway’s resource-based policy, users can add and utilize it as needed. Scenarios that users can add and utilize are as follows:
- Cross-account access
- When an IAM user of account A wants to execute Lambda of account B, register account A in the function policy of account B.
- Hybrid access control
- Instead of simply limiting accounts or IPs, you can configure it so that both specific users and specific IP bands must be satisfied simultaneously to allow access.
Managing API Gateway’s Resource-based Policy
To view and set API Gateway’s resource-based policy, follow these steps:
- Click the All Services > Application Service > API Gateway menu. This will take you to the API Gateway Service Home page.
- Click the API Gateway > Resource Policy menu on the Service Home page. This will take you to the Resource Policy page.
- Click the Modify button in the Policy Details item. The Modify Resource Policy popup window opens. * When you click the Delete button, the registered policy is deleted.
- In the Modify Resource Policy popup window, select a Policy Template and then write the policy. * For policy examples by policy template, see Resource-based Policy Examples.
- When writing is complete, click the Complete button.
Resource-based Policy Examples
Users can additionally define resource-based policies or modify existing policies as needed.
Note
- For some features, a resource-based policy (or credentials) must be registered to use them in API Gateway.
- For the resource-based policy examples described in this guide, API Gateway automatically registers the example resource-based policies when each feature is activated or connected.
Default Policy
This is a policy that is automatically registered when an API is created.
Policy Template
Color mode
{
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:api/{{ApiId}}"
],
"Sid": "DefaultStatement"
}
],
"Version": "2024-07-01"
}{
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:api/{{ApiId}}"
],
"Sid": "DefaultStatement"
}
],
"Version": "2024-07-01"
}Policy Example
Color mode
{
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "DefaultStatement"
}
],
"Version": "2024-07-01"
}{
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "DefaultStatement"
}
],
"Version": "2024-07-01"
}Account Allow List
This is a policy that allows only users of specific SCP accounts (Root user or IAM Role) to call the API.
Policy Template
Color mode
{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:method/{{ApiId}}/{{stageNameOrWildcard*}}/{{httpVerbOrWildcard*}}/{{resourcePathOrWildcard*}}"
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
"srn:{{Offering}}::{{AccountID}}:::iam:user/{{UserSrn}}"
]
},
"Resource": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:api/{{ApiId}}"
],
"Sid": "Statement1"
}
]
}{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:method/{{ApiId}}/{{stageNameOrWildcard*}}/{{httpVerbOrWildcard*}}/{{resourcePathOrWildcard*}}"
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
"srn:{{Offering}}::{{AccountID}}:::iam:user/{{UserSrn}}"
]
},
"Resource": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:api/{{ApiId}}"
],
"Sid": "Statement1"
}
]
}Policy Example
Color mode
{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:e::accountId1:kr-west1::apigateway:method/apiId1/stage1/GET/resource1"
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
"srn:e::accountId1:::iam:user/userId1"
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:e::accountId1:kr-west1::apigateway:method/apiId1/stage1/GET/resource1"
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
"srn:e::accountId1:::iam:user/userId1"
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}IP Range Deny List
This is a policy that allows or blocks only specific IP addresses or CIDR ranges.
Policy Template
Color mode
{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:method/{{ApiId}}/{{stageNameOrWildcard*}}/{{httpVerbOrWildcard*}}/{{resourcePathOrWildcard*}}"
]
},
"NotIpAddress": {
"scp:SourceIp": [
"{{sourceIpOrCIDRBlock}}",
"{{sourceIpOrCIDRBlock}}"
]
}
},
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:api/{{ApiId}}"
],
"Sid": "Statement1"
}
]
}{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:method/{{ApiId}}/{{stageNameOrWildcard*}}/{{httpVerbOrWildcard*}}/{{resourcePathOrWildcard*}}"
]
},
"NotIpAddress": {
"scp:SourceIp": [
"{{sourceIpOrCIDRBlock}}",
"{{sourceIpOrCIDRBlock}}"
]
}
},
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:api/{{ApiId}}"
],
"Sid": "Statement1"
}
]
}Policy Example
Color mode
{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:e::accountId1:kr-west1::apigateway:method/apiId1/stage1/GET/resource1"
]
},
"NotIpAddress": {
"scp:SourceIp": [
"1.2.3.4/24",
"5.6.7.8/32"
]
}
},
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:e::accountId1:kr-west1::apigateway:method/apiId1/stage1/GET/resource1"
]
},
"NotIpAddress": {
"scp:SourceIp": [
"1.2.3.4/24",
"5.6.7.8/32"
]
}
},
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}Cross-account Access
This is a policy that allows UserId2 belonging to accountId2 to call API apiId1 belonging to accountId1.
Policy Example
Color mode
{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:e::accountId1:kr-west1::apigateway:method/apiId1/*/*/*"
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
"srn:e::accountId1:::iam:user/userId1",
"srn:e::accountId2:::iam:user/userId2",
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:e::accountId1:kr-west1::apigateway:method/apiId1/*/*/*"
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
"srn:e::accountId1:::iam:user/userId1",
"srn:e::accountId2:::iam:user/userId2",
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}Hybrid Access Control
This is a policy that allows UserId2 belonging to accountId2 to call API apiId1 belonging to accountId1.
- You can add conditions to simultaneously validate the User ID (Principal) and resource Condition (Condition). Below is an example that additionally defines inaccessible IPs.
Policy Example
Color mode
{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:e::accountId1:kr-west1::apigateway:method/apiId1/*/*/*"
]
},
"NotIpAddress": {
"scp:SourceIp": [
"1.2.3.4/24",
"5.6.7.8/32"
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
"srn:e::accountId1:::iam:user/userId1",
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:e::accountId1:kr-west1::apigateway:method/apiId1/*/*/*"
]
},
"NotIpAddress": {
"scp:SourceIp": [
"1.2.3.4/24",
"5.6.7.8/32"
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
"srn:e::accountId1:::iam:user/userId1",
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}