How do you filter IP addresses on AWS API Gateway?

Question

This is not strictly related to serverless framework per see, but more related to AWS I guess.

My intention is to block everyone from accessing a Lambda, by putting a resource policy on my API Gateway (API GW) to restrict access based on IP addresses. I have the following code in my serverless.yml:

apiGateway:
    resourcePolicy:
      - Effect: Deny
        Principal: "*"
        Action: execute-api:Invoke
        Resource:
          - execute-api:/${self:provider.stage}/*/mypath
        Condition:
          NotIpAddress:
            aws:SourceIp: # Allowed IP's
              - "allow.some.ip.address"
              - "allow.another.ip.address"

If I execute serverless deploy then it completes successfully. When looking in the AWS portal however I see no resource policy attached to the API GW. When trying a POST request to my endpoint, it indeed works from any IP address which clearly is not what I want.

Anyone knows what I am doing wrong or missing here? I'm also curious to know how serverless knows which API to attach my policy to.

I'm using the simplified syntax for specifying the resource, and I've been following these two guides, so I think my code should work but it doesn't:

• How do I allow only specific IP addresses to access my API Gateway REST API?
• API Gateway resource policy examples

Answer 1

Found the issue, so posting the answer here if anyone else reads it.

The code I pasted in the question was correct per see, I had just placed the entire apiGateway under the custom section in my serverless file. Placing it under provider instead solved it, and successfully created the resource filter under my API GW and now blocks IP addresses properly!