Amazon API Gateway Custom Resource Policy

This pattern creates an API Gateway REST endpoint with a custom resource policy. The resource policy limits access to the endpoint to within a certain date range.

Learn more about this pattern at Serverless Land Patterns: https://serverlessland.com/patterns/apigw-custom-resource-policy

Important: this application uses various AWS services and there are costs associated with these services after the Free Tier usage – please see the AWS Pricing page for details. You are responsible for any AWS costs incurred. No warranty is implied in this example.

Requirements

• Create an AWS account if you do not already have one and log in. The IAM user that you use must have sufficient permissions to make necessary AWS service calls and manage AWS resources.
• AWS CLI installed and configured
• Git Installed
• AWS Serverless Application Model (AWS SAM) installed

Deployment Instructions

1. Create a new directory, navigate to that directory in a terminal and clone the GitHub repository:

   git clone https://github.com/aws-samples/serverless-patterns
   

2. Change directory to the pattern directory:

   apigw-custom-resource-policy
   

3. From the command line, use AWS SAM to deploy the AWS resources for the pattern as specified in the template.yml file:

   sam deploy --guided
   

4. During the prompts:

   • Enter a stack name
   • Enter the desired AWS Region
   • Allow SAM CLI to create IAM roles with the required permissions.

   Once you have run sam deploy --guided mode once and saved arguments to a configuration file (samconfig.toml), you can use sam deploy in future to use these defaults.

5. Note the outputs from the SAM deployment process. These contain the resource names and/or ARNs which are used for testing.

How it works

This endpoint will only accept requests between certain dates. The dates can be changed in the SAM template.

Testing

In the template.yaml file, set the desired start and end dates. Then hit the endpoint in the deployment outputs. If the date of the current request falls within the range, API Gateway will invoke the Lambda function and return the response. If it is outside the desired range, API Gateway will not invoke the Lambda function and immediately respond with an authorization error.

Cleanup

1. Delete the stack

   sam delete --stack-name STACK_NAME
   

2. Confirm the stack has been deleted

   aws cloudformation list-stacks --query "StackSummaries[?contains(StackName,'STACK_NAME')].StackStatus"