AWS Security ChangesHomeSearch

AWS apigateway medium security documentation change

Service: apigateway · 2025-07-04 · Security-related medium

File: apigateway/latest/developerguide/apigateway-vpc-endpoint-policies.md

Summary

Added Example 6 for organization-based access control, updated authorization header evaluation logic, and clarified security controls for VPC endpoint policies

Security assessment

Added explicit guidance about evaluating organization IDs (aws:ResourceOrgID/aws:PrincipalOrgID) and authorization header handling. These changes clarify security controls for restricting access, preventing potential misconfigurations that could lead to unauthorized access.

Diff

diff --git a/apigateway/latest/developerguide/apigateway-vpc-endpoint-policies.md b/apigateway/latest/developerguide/apigateway-vpc-endpoint-policies.md
index 3fa22a54a..45512a0a1 100644
--- a//apigateway/latest/developerguide/apigateway-vpc-endpoint-policies.md
+++ b//apigateway/latest/developerguide/apigateway-vpc-endpoint-policies.md
@@ -5 +5 @@
-VPC endpoint policy considerationsVPC endpoint policy examplesExample 1: VPC endpoint policy granting access to two APIsExample 2: VPC endpoint policy granting access to GET methodsExample 3: VPC endpoint policy granting a specific user access to a specific APIExample 4: VPC endpoint policy granting users access to a specific custom domain name and every API mapped to the domainExample 5: VPC endpoint policy granting or denying access to specific APIs and domain resources
+VPC endpoint policy considerationsVPC endpoint policy examplesExample 1: VPC endpoint policy granting access to two APIsExample 2: VPC endpoint policy granting access to GET methodsExample 3: VPC endpoint policy granting a specific user access to a specific APIExample 4: VPC endpoint policy granting users access to a specific custom domain name and every API mapped to the domainExample 5: VPC endpoint policy granting or denying access to specific APIs and domain resourcesExample 6: VPC endpoint policy granting or denying access by principals and resources belonging to an organization
@@ -24 +24 @@ You might want to create a VPC endpoint policy to do the following tasks.
-The following are considerations for your VPC endpoint policy.
+The following are considerations for your VPC endpoint policy:
@@ -26 +26 @@ The following are considerations for your VPC endpoint policy.
-  * The identity of the invoker is evaluated based on the `Authorization` header value. Depending on your `authorizationType`, this may lead to an `403 IncompleteSignatureException` or an `403 InvalidSignatureException` error. The following table shows the `Authorization` header values for each `authorizationType`.
+  * The identity of the invoker is evaluated based on the `Authorization` header value. The VPC endpoint policy is evaluated first, and then API Gateway evaluates the request, based on the type of authorization configured on the method request. The following table shows how the VPC endpoint policy is evaluated based on the content of the `Authorization` header value.
@@ -28,6 +28,6 @@ The following are considerations for your VPC endpoint policy.
-`authorizationType` | `Authorization`**header evaluated?** | **Allowed** `Authorization` **header values**  
----|---|---  
-`NONE` with the default full access policy | No | Not passed  
-`NONE` with a custom access policy | Yes | Must be a valid [SigV4](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html) value  
-`IAM` | Yes | Must be a valid [SigV4](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html) value  
-`CUSTOM` or `COGNITO_USER_POOLS` | No | Not passed  
+Content of the `Authorization` header value | How the VPC endpoint policy is evaluated  
+---|---  
+No content | The invoker is evaluated as an anonymous user  
+Valid [SigV4](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html) signature | The invoker is evaluated as the authenticated IAM identity from the signature  
+Invalid [SigV4](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html) signature | API Gateway denies access  
+Non-SigV4 authorization information such as a bearer token | The invoker is evaluated as an anonymous user  
@@ -35 +35,3 @@ The following are considerations for your VPC endpoint policy.
-  * If a policy restricts access to a specific IAM principal, such as `arn:aws:iam::account-id:role/developer`, you must set the `authorizationType` of your API's method to `AWS_IAM` or `NONE`. For more instructions on how to set the `authorizationType` for a method, see [Methods for REST APIs in API Gateway](./how-to-method-settings.html).
+  * If your access control depends on using a bearer token, such as a Lambda or Amazon Cognito authorizer, you can control your security perimeter by using [properties of the resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resource-properties).
+
+  * If your authorization controls use IAM authorization, you can control your security perimeter by using [properties of the resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resource-properties) and [ properties of the principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resource-principal).
@@ -54,0 +57,2 @@ You can create policies for Amazon Virtual Private Cloud endpoints for Amazon AP
+This might depend on the contents of your authorization header. For more information, see VPC endpoint policy considerations. For additional example policies, see [Data perimeter policy examples](https://github.com/aws-samples/data-perimeter-policy-examples) on the GitHub website.
+
@@ -180,0 +185,26 @@ The following example policy grants users access to specific APIs and domain res
+## Example 6: VPC endpoint policy granting or denying access by principals and resources belonging to an organization
+
+The following example policy grants access to principals and resources that belong to an organization.
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Condition": {
+                    "StringEquals": {
+                        "aws:ResourceOrgID": "o-abcd1234",
+                        "aws:PrincipalOrgID": "o-abcd1234"
+                    }
+                },
+                "Action": "*",
+                "Resource": "*",
+                "Effect": "Allow",
+                "Principal": {
+                    "AWS": "*"
+                },
+                "Sid": "AllowRequestsByOrgsIdentitiesToOrgsResources"
+            }
+        ]
+    }
+