如何实施 AWS WAF 规则来限制其他账户的用户访问 api 网关?
[英]How can I implement a AWS WAF rule to restrict access of api gateway to the users of other accounts?
问题描述
I need to write a WAF rule such that access to API gateway is blocked for the users of other AWS accounts.
我需要编写一个 WAF 规则,以便其他 AWS 账户的用户无法访问 API 网关。
for now, I'm exploring the implementation of WAF but I have managed to create CfnWebCl with a rule statement to be ipSetReferenceStatement such that I'm creating an IP set of the allowed ips, but that's not what I want, I want the users of other aws accounts here's sample code.现在,我正在探索 WAF 的实现,但我已经成功地创建了 CfnWebCl,规则语句为 ipSetReferenceStatement,这样我就创建了一个允许 ips 的 IP 集,但这不是我想要的,我想要用户其他 aws 帐户的示例代码。
this.commserviceAllowedIpSet = new CfnIPSet(this, 'commservice-allowedIps', {
name: 'allowed ips',
ipAddressVersion: 'IPV4',
addresses: [],
scope: 'REGIONAL',
});
this.commserviceWebAcl = new CfnWebACL(this, 'commservice-webacl', {
defaultAction: {
block: {},
},
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: 'commservice-webacl',
sampledRequestsEnabled: true,
},
scope: 'REGIONAL',
rules: [
{
statement: {
ipSetReferenceStatement: {
arn: this.commserviceAllowedIpSet.attrArn,
},
},
name: 'abc',
priority: 0,
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: 'allowed-requests',
sampledRequestsEnabled: true,
},
},
],
});
is there any other rule statement that I can use other than ipSetReferencesStatement?除了 ipSetReferencesStatement 之外,还有其他规则语句可以使用吗? apologies if the question is not clear.如果问题不清楚,请见谅。
1 个解决方案
解决方案1
0 已采纳 2021-07-03 00:01:58
You can't do this with WAF .你不能用 WAF 做到这一点。 The proper way to do is using API Gateway resource policies .正确的做法是使用API Gateway 资源策略。 By writing such a policy, you can restrict access to the API only to your own account.通过编写这样的策略,您可以将 API 的访问权限限制为您自己的帐户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.