AWS API Gateway隐式否认不工作

发布于 2025-01-30 07:52:59 字数 1191 浏览 2 评论 0 原文

我有以下为AWS API网关配置的资源策略：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-north-1:XXX/*/*/some-api",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "some IP"
                    ]
                }
            }
        }
    ]
}

根据官方文档，我希望其他API被隐式拒绝。但是，这没有发生，我可以从任何随机IP地址从 some-api 调用其他API。设置有什么问题？

文档：

，然后是“默认情况下拒绝与explicit deny的拒绝之间的差异”的主题。它指的是：

原文

I have the following resource policy configured for AWS API gateway:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-north-1:XXX/*/*/some-api",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "some IP"
                    ]
                }
            }
        }
    ]
}

According to the official documentation I expect other APIs to be implicitly denied. However that is not happening, I can call other APIs than some-api from any random IP address. What is wrong with the setup?

Documentation:

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-policy-language-overview.html

And then for the subject of "The Difference Between Denying by Default and Explicit Deny." it refers to:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#AccessPolicyLanguage_Interplay

分享到QQ

分享到微博