API Gateway Restricting Resource Path with IP Allow Listing with WAF

By /

Listen to this Post

In this short article, we will restrict one resource path on API Gateway to specific IP addresses using AWS WAF, while leaving other resources open.

🔗 Reference: Medium

You Should Know:

Step-by-Step Implementation

1. Create an AWS WAF IP Set

First, define the allowed IP addresses in AWS WAF.

aws wafv2 create-ip-set \
--name MyIPAllowList \
--scope REGIONAL \
--ip-address-version IPV4 \
--addresses "192.0.2.0/24" "203.0.113.0/24" \
--region us-east-1

2. Create a WAF Web ACL

Define a rule to allow only the specified IPs.

aws wafv2 create-web-acl \
--name APIGatewayIPRestriction \
--scope REGIONAL \
--default-action "Block={}" \
--rules '[
{
"Name": "AllowSpecifiedIPs",
"Priority": 1,
"Action": {
"Allow": {}
},
"Statement": {
"IPSetReferenceStatement": {
"ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/MyIPAllowList/abcdef12-3456-7890-abcd-ef1234567890"
}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AllowSpecifiedIPs"
}
}
]' \
--visibility-config "SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=APIGatewayIPRestriction" \
--region us-east-1

3. Associate WAF with API Gateway

Attach the Web ACL to your API Gateway.

aws wafv2 associate-web-acl \
--web-acl-arn "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/APIGatewayIPRestriction/abcdef12-3456-7890-abcd-ef1234567890" \
--resource-arn "arn:aws:apigateway:us-east-1::/restapis/your-api-id/stages/prod" \
--region us-east-1

4. Test the Configuration

Verify that only allowed IPs can access the restricted path.

curl -X GET https://your-api-id.execute-api.us-east-1.amazonaws.com/prod/restricted-path

What Undercode Say

Securing API Gateway with WAF IP restrictions is a best practice for protecting sensitive endpoints. Here are additional hardening techniques:

Linux & AWS CLI Tips

  • Check IP Geolocation: 
    curl https://ipinfo.io/203.0.113.1/json

  • Block Suspicious IPs via iptables (Linux): 

    sudo iptables -A INPUT -s 192.0.2.100 -j DROP

  • Monitor AWS WAF Logs: 

    aws wafv2 get-logging-configuration --resource-arn your-webacl-arn --region us-east-1

  • Windows Firewall Rule (PowerShell): 

    New-NetFirewallRule -DisplayName "Block Malicious IP" -Direction Inbound -RemoteAddress 192.0.2.100 -Action Block

  • Automate IP Blacklisting: 

    aws wafv2 update-ip-set \
--name MyIPAllowList \
--scope REGIONAL \
--id YOUR_IPSET_ID \
--addresses "192.0.2.0/24" "203.0.113.0/24" "NEW_IP/32" \
--lock-token YOUR_LOCK_TOKEN \
--region us-east-1

Expected Output:

A secure API Gateway where only whitelisted IPs can access restricted paths, while other endpoints remain publicly accessible. Logging and monitoring ensure compliance and threat detection.

🔗 Further Reading: AWS WAF Documentation

References:

Reported By: Lee James – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: