AWS serverless-application-model high security documentation change
Summary
Added documentation for the 'Policy' property in API Gateway resources and a new example of configuring a private API with custom domain and VPC endpoint restrictions
Security assessment
The change introduces explicit documentation for API resource policies that enforce access control via VPC endpoint conditions (aws:SourceVpce). This directly addresses security by restricting API access to authorized VPC endpoints, preventing unauthorized external access. The example includes explicit Deny policies with security conditions.
Diff
diff --git a/serverless-application-model/latest/developerguide/sam-resource-api.md b/serverless-application-model/latest/developerguide/sam-resource-api.md index cf742cb54..8281a7dec 100644 --- a//serverless-application-model/latest/developerguide/sam-resource-api.md +++ b//serverless-application-model/latest/developerguide/sam-resource-api.md @@ -58,0 +59 @@ To declare this entity in your AWS Serverless Application Model (AWS SAM) templa + Policy: JSON @@ -367,0 +369,11 @@ _AWS CloudFormation compatibility_ : This property is unique to AWS SAM and does +`Policy` + + +A policy document that contains the permissions for the API. To set the ARN for the policy, use the `!Join` intrinsic function with `""` as delimiter and values of `"execute-api:/"` and `"*"`. + +_Type_ : JSON + +_Required_ : No + +_AWS CloudFormation compatibility_ : This property is passed directly to the [ Policy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-policy) property of an `AWS::ApiGateway::RestApi` resource. + @@ -592,0 +605,93 @@ A Hello World AWS SAM template file that contains a Lambda Function with an API +### Custom domain with a private API example + +A Hello World AWS SAM template file that contains a Lambda function with an API endpoint mapped to a private domain. The template creates a domain access association between a VPC endpoint and the private domain. For more information, see [Custom domain names for private APIs in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-custom-domains.html). + +#### YAML + + + AWSTemplateFormatVersion: '2010-09-09' + Transform: AWS::Serverless-2016-10-31 + Description: AWS SAM template configured with a custom domain using a private API + + Parameters: + DomainName: + Type: String + Default: mydomain.example.com + CertificateArn: + Type: String + HostedZoneId: + Type: String + VpcEndpointId: + Type: String + VpcEndpointDomainName: + Type: String + VpcEndpointHostedZoneId: + Type: String + + Resources: + MyFunction: + Type: AWS::Serverless::Function + Properties: + InlineCode: | + def handler(event, context): + return {'body': 'Hello World!', 'statusCode': 200} + Handler: index.handler + Runtime: python3.13 + Events: + Fetch: + Type: Api + Properties: + RestApiId: + Ref: MyApi + Method: Get + Path: /get + MyApi: + Type: AWS::Serverless::Api + Properties: + StageName: Prod + EndpointConfiguration: + Type: PRIVATE + VPCEndpointIds: + - !Ref VpcEndpointId + Policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + - Effect: Deny + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + Condition: + StringNotEquals: + aws:SourceVpce: !Ref VpcEndpointId + Domain: + DomainName: !Ref DomainName + CertificateArn: !Ref CertificateArn + EndpointConfiguration: PRIVATE + BasePath: + - / + Route53: + HostedZoneId: !Ref HostedZoneId + VpcEndpointDomainName: !Ref VpcEndpointDomainName + VpcEndpointHostedZoneId: !Ref VpcEndpointHostedZoneId + AccessAssociation: + VpcEndpointId: !Ref VpcEndpointId + Policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + - Effect: Deny + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/* + Condition: + StringNotEquals: + aws:SourceVpce: !Ref VpcEndpointId + +