[apigw-to-private-apig-cdk] Overly permissive API Gateway Resource Policy

[ryanotella]

Great example! However, the Resource Policy in the apigw-to-private-apig-cdk pattern currently allows API traffic from any VPCE in the region. So while it prevents direct access from the public internet, it probably is not what most users are expecting.

serverless-patterns/apigw-to-private-apig-cdk/src/api/index.ts

Lines 47 to 56 in e95b8ca

	const apiResourcePolicy = new iam.PolicyDocument({
	statements: [
	new iam.PolicyStatement({
	effect: iam.Effect.ALLOW,
	actions: ['execute-api:Invoke'],
	principals: [new iam.AnyPrincipal()],
	resources: ['execute-api:/*/*/*'],
	})
	]
	});

The PolicyDocument needs to be updated with a "Deny" statement restricting access to only the VPCE (or VPC) created by the stack. I'm happy to submit a PR if you're accepting them.

[ryanotella]

The addition of this "Deny" PolicyStatement to the PolicyDocument above prevents access to the private API from the rest of the region.

new iam.PolicyStatement({
  effect: iam.Effect.DENY,
  actions: ['execute-api:Invoke'],
  principals: [new iam.AnyPrincipal()],
  resources: ['execute-api:/*/*/*'],
  conditions: {
    StringNotEquals: {
      "aws:sourceVpce": endpointAPIGateway.vpcEndpointId
    }
  }
})