AWS Security ChangesHomeSearch

AWS apigateway documentation change

Service: apigateway · 2025-06-04 · Documentation medium

File: apigateway/latest/developerguide/security_iam_id-based-policy-examples.md

Summary

Added new IAM policy example to prevent changes to custom domain routing configurations

Security assessment

The change introduces a security-focused IAM policy example that restricts modifications to domain routing resources (BasePathMapping, ApiMapping, RoutingRule). While this enhances security documentation by providing granular access control guidance, there's no indication it addresses an active exploit or vulnerability.

Diff

diff --git a/apigateway/latest/developerguide/security_iam_id-based-policy-examples.md b/apigateway/latest/developerguide/security_iam_id-based-policy-examples.md
index 353d10754..6d0ac2c54 100644
--- a//apigateway/latest/developerguide/security_iam_id-based-policy-examples.md
+++ b//apigateway/latest/developerguide/security_iam_id-based-policy-examples.md
@@ -5 +5 @@
-Policy best practicesAllow users to view their own permissionsSimple read permissionsCreate only REQUEST or JWT authorizersRequire that the default execute-api endpoint is disabledAllow users to create or update only private REST APIsRequire that API routes have authorizationPrevent a user from creating or updating a VPC link
+Policy best practicesAllow users to view their own permissionsSimple read permissionsCreate only REQUEST or JWT authorizersRequire that the default execute-api endpoint is disabledAllow users to create or update only private REST APIsRequire that API routes have authorizationPrevent a user from creating or updating a VPC linkPrevent a user from changing how a custom domain name routes a request
@@ -30,0 +31,2 @@ For information about how to create IAM policies, see [Creating Policies on the
+  * Prevent a user from changing how a custom domain name routes a request
+
@@ -318,0 +321,21 @@ This policy prevents a user from creating or updating a VPC link. A VPC link ena
+## Prevent a user from changing how a custom domain name routes a request
+
+This policy prevents a user from creating or updating a `BasePathMapping`, `ApiMapping` or `RoutingRule`. All of these resources might change how a custom domain name routes request to APIs.
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "DenyAccessBasePathMappingsApiMappingsRoutingRules",
+          "Effect": "Deny",
+          "Action": "apigateway:*",
+          "Resource": [
+            "arn:aws:apigateway:us-east-1::/domainnames/example.com/basepathmappings/*",
+            "arn:aws:apigateway:us-east-1::/domainnames/example.com/apimappings/*",
+            "arn:aws:apigateway:us-east-1:111122223333:/domainnames/example.com/routingrules/*"
+          ]
+        }
+      ]
+    }
+