Unable to restrict access to an API endpoint in lambda using IAM policy

Question

I want to construct an IAM policy that explicitly allows invocation of lambda function for a particular API and deny for the rest.

My API : /api/v1/type/{type_id}/orders.

I want to create a policy that would be attached behind a role to a set of instances which are of particular type. Example can be type_a.

So, I created a following policy :

{

  "Effect": "Allow",
  "Action": [
                "lambda:InvokeFunction",
                "execute-api:Invoke",
                "execute-api:ManageConnections"
            ],
  "Resource": [
                "arn:aws:lambda:us-west-2:XXXXXXX:function:function-name",
                "arn:aws:execute-api:us-west-2:xxxxxx:pkxxxx8/*/GET/api/*/type/sai-iam-type_a/orders"
            ]
        }

Upon attaching the above policy, I am still able to access both /api/v1/type/type_a/orders and /api/v1/type/type_b/orders API's.

Is there a way that I can deny everything else other than /api/v1/type/type_a/orders?

Answer 1

You need a resource policy on the api to deny invocation of other apis apart from the one you want, something like...

{

  "Effect": "Deny",
  "Action": [
                "execute-api:Invoke"
            ],
  "NotResource": [
                "arn:aws:execute-api:us-west-2:xxxxxx:pkxxxx8/*/GET/api/*/type/sai-iam-type_a/orders"
            ]
        }