Resource Policy Gateway - IAM

Question

I've setup the following Resource Policy in my AWS API Gateway to whitelist an IP range:

The policy is working properly, however now I have to apply the same policy to some Gateways (not all of them) within the same account and potentially in the future I will need to include more IPs in that list; So I will need to modify the resource policy in the Gateways one by one..

In order to fix that, I want to setup a policy in IAM and apply that policy to some gateways. I've created the following policy in IAM:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "execute-api:Invoke",
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "35.192.0.0/12"
                }
            }
        }
    ]
}

However I cannot find the way to attach it to the Gateways. I've tried to setup a role, but the API Gateway service does not allow me to attach that policy.

Is there anyway to create a IP whitelist policy and attach them to some gateways at once? Basically I'm looking for a way to modify the IP whitelist in one place and apply it dynamically to some of my gateways.

Thanks,

Answer 1

The policy for API Gateway is a resource policy, the IAM policy can only be attached to users, groups and roles.

You will need to apply this to each API Gateways resource policy, if you want to reuse try looking at IaC.