AWS Security ChangesHomeSearch

AWS serverless-application-model medium security documentation change

Service: serverless-application-model · 2025-04-14 · Security-related medium

File: serverless-application-model/latest/developerguide/sam-resource-api.md

Summary

Added Policy property documentation and example template for private API with VPC endpoint access control policies

Security assessment

Added explicit IAM policy documentation with VPC endpoint conditions to control API access, demonstrating security best practices for private APIs

Diff

diff --git a/serverless-application-model/latest/developerguide/sam-resource-api.md b/serverless-application-model/latest/developerguide/sam-resource-api.md
index cf742cb54..8281a7dec 100644
--- a//serverless-application-model/latest/developerguide/sam-resource-api.md
+++ b//serverless-application-model/latest/developerguide/sam-resource-api.md
@@ -58,0 +59 @@ To declare this entity in your AWS Serverless Application Model (AWS SAM) templa
+      Policy: JSON
@@ -367,0 +369,11 @@ _AWS CloudFormation compatibility_ : This property is unique to AWS SAM and does
+`Policy`
+    
+
+A policy document that contains the permissions for the API. To set the ARN for the policy, use the `!Join` intrinsic function with `""` as delimiter and values of `"execute-api:/"` and `"*"`.
+
+_Type_ : JSON
+
+_Required_ : No
+
+_AWS CloudFormation compatibility_ : This property is passed directly to the [ Policy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-policy) property of an `AWS::ApiGateway::RestApi` resource.
+
@@ -592,0 +605,93 @@ A Hello World AWS SAM template file that contains a Lambda Function with an API
+### Custom domain with a private API example
+
+A Hello World AWS SAM template file that contains a Lambda function with an API endpoint mapped to a private domain. The template creates a domain access association between a VPC endpoint and the private domain. For more information, see [Custom domain names for private APIs in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-custom-domains.html).
+
+#### YAML
+    
+    
+    AWSTemplateFormatVersion: '2010-09-09'
+    Transform: AWS::Serverless-2016-10-31
+    Description: AWS SAM template configured with a custom domain using a private API
+    
+    Parameters:
+        DomainName:
+          Type: String
+          Default: mydomain.example.com
+        CertificateArn:
+          Type: String
+        HostedZoneId:
+          Type: String
+        VpcEndpointId:
+          Type: String
+        VpcEndpointDomainName:
+          Type: String
+        VpcEndpointHostedZoneId:
+          Type: String
+    
+    Resources:
+      MyFunction:
+        Type: AWS::Serverless::Function
+        Properties:
+          InlineCode: |
+            def handler(event, context):
+                return {'body': 'Hello World!', 'statusCode': 200}
+          Handler: index.handler
+          Runtime: python3.13
+          Events:
+            Fetch:
+              Type: Api
+              Properties:
+                RestApiId:
+                  Ref: MyApi
+                Method: Get
+                Path: /get
+      MyApi:
+        Type: AWS::Serverless::Api
+        Properties:
+          StageName: Prod
+          EndpointConfiguration:
+            Type: PRIVATE
+            VPCEndpointIds:
+            - !Ref VpcEndpointId
+          Policy:
+            Version: '2012-10-17'
+            Statement:
+            - Effect: Allow
+              Principal: '*'
+              Action: execute-api:Invoke
+              Resource: execute-api:/*
+            - Effect: Deny
+              Principal: '*'
+              Action: execute-api:Invoke
+              Resource: execute-api:/*
+              Condition:
+                StringNotEquals:
+                  aws:SourceVpce: !Ref VpcEndpointId
+          Domain:
+            DomainName: !Ref DomainName
+            CertificateArn: !Ref CertificateArn
+            EndpointConfiguration: PRIVATE
+            BasePath:
+            - /
+            Route53:
+              HostedZoneId: !Ref HostedZoneId
+              VpcEndpointDomainName: !Ref VpcEndpointDomainName
+              VpcEndpointHostedZoneId: !Ref VpcEndpointHostedZoneId
+            AccessAssociation:
+              VpcEndpointId: !Ref VpcEndpointId
+            Policy:
+              Version: '2012-10-17'
+              Statement:
+              - Effect: Allow
+                Principal: '*'
+                Action: execute-api:Invoke
+                Resource: execute-api:/*
+              - Effect: Deny
+                Principal: '*'
+                Action: execute-api:Invoke
+                Resource: execute-api:/*
+                Condition:
+                  StringNotEquals:
+                    aws:SourceVpce: !Ref VpcEndpointId
+    
+