如何拒绝除一个用户外的所有用户在AWS API Gateway中调用API [英] How can I deny all users except one to invoke API in AWS API Gateway

问题描述

是否有一种方法/策略可以拒绝所有用户，除了可以在AWS API Gateway上调用API终结点的用户之外?

Is there a way/policy using which I can deny all users except one who can invoke an API endpoint at AWS API Gateway?

当前使用的政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::account_id:user/user-name"
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:region:account_id:api_to_be_invoked/*/*"
        }
    ]
}

我在API网关的资源策略"中应用了上述策略，并进行了部署，但是为了进行测试，我尝试使用另一个管理员用户的访问权限和私钥通过Postman进行POST，但仍然成功完成了，但我没有这样做想要.

I applied the above policy at the API Gateway's Resource Policy and deployed it, but then, just to test, I tried using another admin user's access and secret key to POST through Postman, and it still successfully did, which I do not want.

有帮助吗?

推荐答案

{
"Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": 
                    [  "arn:aws:iam::account_id:user/user-name",
                       "arn:aws:iam::account_id:root"
                    ]
            },
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:region:account_id:api_to_be_invoked/*/*"
        }
    ]
}

这篇关于如何拒绝除一个用户外的所有用户在AWS API Gateway中调用API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！