AWS Security ChangesHomeSearch

AWS apigateway medium security documentation change

Service: apigateway · 2025-06-16 · Security-related medium

File: apigateway/latest/developerguide/security_iam_id-based-policy-examples.md

Summary

Updated documentation to replace 'Prevent changing custom domain routing' section with expanded 'Example policies for routing rules' including priority ranges, base path patterns, and routing mode controls

Security assessment

The changes add granular IAM policy examples for controlling routing rule configurations, including numeric constraints on priorities and path patterns. These policies help prevent misconfiguration risks by enforcing least-privilege access to API routing resources. The original prevention policy was security-related and the new examples expand security guidance.

Diff

diff --git a/apigateway/latest/developerguide/security_iam_id-based-policy-examples.md b/apigateway/latest/developerguide/security_iam_id-based-policy-examples.md
index 6d0ac2c54..71092ec1f 100644
--- a//apigateway/latest/developerguide/security_iam_id-based-policy-examples.md
+++ b//apigateway/latest/developerguide/security_iam_id-based-policy-examples.md
@@ -5 +5 @@
-Policy best practicesAllow users to view their own permissionsSimple read permissionsCreate only REQUEST or JWT authorizersRequire that the default execute-api endpoint is disabledAllow users to create or update only private REST APIsRequire that API routes have authorizationPrevent a user from creating or updating a VPC linkPrevent a user from changing how a custom domain name routes a request
+Policy best practicesAllow users to view their own permissionsSimple read permissionsCreate only REQUEST or JWT authorizersRequire that the default execute-api endpoint is disabledAllow users to create or update only private REST APIsRequire that API routes have authorizationPrevent a user from creating or updating a VPC linkExample policies for using routing rules
@@ -31 +31 @@ For information about how to create IAM policies, see [Creating Policies on the
-  * Prevent a user from changing how a custom domain name routes a request
+  * Example policies for using routing rules
@@ -321 +321 @@ This policy prevents a user from creating or updating a VPC link. A VPC link ena
-## Prevent a user from changing how a custom domain name routes a request
+## Example policies for using routing rules
@@ -323 +323,5 @@ This policy prevents a user from creating or updating a VPC link. A VPC link ena
-This policy prevents a user from creating or updating a `BasePathMapping`, `ApiMapping` or `RoutingRule`. All of these resources might change how a custom domain name routes request to APIs.
+The following example policies show how to use the RoutingRule condition keys to control how users can route traffic from their custom domain names to their REST APIs. You can use these examples to create fine-grained policies for what kind of routing rules users can make. For more information, see [Routing rules to connect API stages to a custom domain name for REST APIs](./rest-api-routing-rules.html).
+
+### Prevent a user from changing how a custom domain name routes a request
+
+This policy prevents a user from creating or updating a `BasePathMapping`, `ApiMapping` or `RoutingRule`. All of these resources might change how a custom domain name routes requests to APIs.
@@ -341,0 +346,76 @@ This policy prevents a user from creating or updating a `BasePathMapping`, `ApiM
+### Allow a user to update a routing rule for certain priorities
+
+This policy allows a user to only update a routing rule to a priority between 1001 and 2000. You can use this rule to separate your production rules from lower priority rules and then allow users to modify lower priority rules without impacting production rules.
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "UpdatingRoutingRulePriorityBetween1001And2000",
+          "Effect": "Allow",
+          "Action": "apigateway:UpdateRoutingRule",
+          "Resource": "arn:aws:apigateway:us-east-1:111122223333:/domainnames/example.com/routingrules/*",
+          "Condition": {
+            "NumericGreaterThanEquals": {
+              "apigateway:Resource/Priority": 1001,
+              "apigateway:Request/Priority": 1001
+            },
+           "NumericLessThanEquals": {
+              "apigateway:Resource/Priority": 2000,
+              "apigateway:Request/Priority": 2000
+            } 
+          }
+        }
+      ]
+    }
+
+### Allow a user to update a routing rule or base path mapping for a certain base path value
+
+This policy allows a user to only update a base path mapping for any base path that starts with `orders` or update a routing rule matching a base path that starts with `orders`. In this policy, a user can update a base path mapping or routing rule for `orders/create` or `orders123`, but not `payment/orders`.
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+          {
+            "Sid": "AllowUpdateRoutingRuleUnderPathOrders",
+            "Effect": "Allow",
+            "Action": "apigateway:UpdateRoutingRule",
+            "Resource": "arn:aws:apigateway:us-east-1:111122223333:/domainnames/example.com/routingrules/*",
+            "Condition": {
+                "ForAllValues:StringLike": {
+                    "apigateway:Request/ConditionBasePaths": ["orders*"],
+                    "apigateway:Resource/ConditionBasePaths": ["orders*"]
+                },
+                "Null":{
+                     "apigateway:Request/ConditionBasePaths":"false",
+                     "apigateway:Resource/ConditionBasePaths":"false"             
+              }
+            }
+          }
+      ]
+    }
+
+### Allow a user to update the routing mode to specific values
+
+This policy allows a user to only update the routing mode to `API_MAPPING_ONLY` and `ROUTING_RULE_THEN_API_MAPPING`. For more information about routing mode, see [Set the routing mode for your custom domain name](./set-routing-mode.html).
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+            {
+               "Sid": "AllowUpdateRoutingModeToAnythingWithApiMapping",
+               "Effect": "Allow",
+               "Action": ["apigateway:PATCH"],
+               "Resource": "arn:aws:apigateway:us-east-1:111122223333:/domainnames/example.com",
+                  "Condition": {
+                   "StringLike": {
+                       "apigateway:Request/RoutingMode":"*API_MAPPING*"
+                   }
+               }
+           }
+        ]
+    }
+