Bluetrino stands in support of Ukraine Bluetrino stands in support of Ukraine
Learn more
BluetrinoBluetrino Logo

Our Products

Security and Compliance

Our Customers

Our Team

News

Contact Us
0%

Production environments can be tricky

Having custom authentication providers because of less than secure legacy systems can be just one of the problems you face when securing an API.

We also have a requirement to secure the api so that only the clients static IP address be allowed to access this specific API.

The simplest route to achieve IP Filtering is to setup a resource policy on the API itself, the snippet below will allow access from a specific Static IP address to execute your API

When configuring your Resource Policy, there is a banner at the top:

Configure access control to this private API using a Resource Policy. Access can be controlled by IAM condition elements, including conditions on AWS account, Source VPC, VPC Endpoints (Private API), and/or IP range. If the Principal in the policy is set to *, other authorization types can be used alongside the resource policy. If the Principal is set to AWS, then authorization will fail for all resources not secured with AWS_IAM auth, including unsecured resources. Learn more.

Which is fairly misleading as it states “private API“ this is not true and I successfully used the snippet above on a Regional Endpoint.

Please note that changing an Edge Optimized endpoint to a private endpoint will not allow you to change it back to an Edge Optimized endpoint there after.

I tested it using a mock Method and the Resource Policy above

Select "Select Create Method"

Set Integration Type to Mock

Extract your method ARN to be placed in the Resource Policy, you can also use wildcards such as * for multiple characters and ? for single characters

The next step is to test your API on 2 different external IP addresses, I used my own machine wich was on the current network and my android device which was on the cellular network

Go To Stages → Your Stage and then you will see an Invoke URL at the top, if you have a GET method you can use this in your browser to test your response

A request that comes from an Invalid IP address will return a 403 and get a message that looks like this:

{
  "Message": "User: anonymous is not authorized to perform: execute-api:
  Invoke on resource:
  arn:aws:execute-api:eu-west-1:************:**********/#STAGE#/GET/health"
}

And that concludes how to setup IP filtering on API Gateway, hope this helps someone out there.

Logo

Site

  • White Label
  • Security and Compliance
  • Our Team
  • About Us

Legal

  • External Compliance Officers
  • Conflict of Interest Policy
  • TCF Policy
  • PAIA Manual
  • Complaints Policy

Policies

  • Terms Of Service
  • Privacy Policy
  • KYC and AML
  • AML Policy

Contact Us

  • info@bluetrino.com
  • +27 87 012 5478
  • Mon-Fri: 9:00 AM – 5:00 PM

Find Us

Ubunye House,

70 Rosmead Avenue,

Kenilworth,

Cape Town,

7708.

  • Bluetrino SA Pty Ltd (2014/096242/07) is an authorised Financial Services Provider (FSP - 27056) regulated by the FSCA (Financial Sector Conduct Authority).
  • UAB Bluetrino LT - Tax/Reg/EIN No. 306121218
  • Bluetrino Limited - Reg No - 2868202

    Engaging in digital asset investment, particularly cryptocurrencies, involves exposure to potential market volatility and the risk of partial or complete capital loss.
    The content and data presented on this platform are intended solely for informational purposes. While sourced from reliable outlets, this information should not be construed as a solicitation or recommendation by Bluetrino to engage in the buying or selling of cryptocurrencies. It does not provide investment advice, inducement, or encouragement to invest in cryptocurrencies.

© 2025, Built by Us with NextJs

Cookies

We use cookies on our website to enhance your browsing experience. By continuing to use our website, you consent to our use of cookies.