AWS apigateway documentation change
Summary
Simplified policy attachment process using files and updated VPC endpoint IDs in examples
Security assessment
Promotes safer policy management via file references but does not introduce new security controls. Example ID changes are non-substantive.
Diff
diff --git a/apigateway/latest/developerguide/apigateway-private-custom-domains-tutorial.md b/apigateway/latest/developerguide/apigateway-private-custom-domains-tutorial.md index 4c9105d6a..e24be33d2 100644 --- a//apigateway/latest/developerguide/apigateway-private-custom-domains-tutorial.md +++ b//apigateway/latest/developerguide/apigateway-private-custom-domains-tutorial.md @@ -49,5 +48,0 @@ API Gateway provisions a domain name with a `deny` all resource policy. This is -JSON - -JSON - - @@ -77 +72 @@ JSON - "aws:SourceVpce": "vpce-abcd1234efg" + "aws:SourceVpce": "vpce-abcd1234" @@ -93,7 +88 @@ AWS CLI -When you create a private custom domain name using the AWS CLI, you provide a resource policy for the `execute-api` service to grant access to VPC endpoints to invoke your private custom domain name, using the `--policy "{\"jsonEscapedPolicyDocument\"}"` parameter. You can modify this policy later. - -For this example, you'll attach the following resource policy as the `policy`. This policy only allows incoming traffic to a private custom domain name from the VPC endpoint ` `vpce-abcd1234efg``: - -JSON - -JSON +When you create a private custom domain name using the AWS CLI, you provide a resource policy for the `execute-api` service to grant access to VPC endpoints to invoke your private custom domain name, using the `--policy file://policy.json` parameter. You can modify this policy later. @@ -100,0 +90 @@ JSON +For this example, you'll attach the following resource policy as the `policy` by loading parameters from a file. Copy and save this file as `policy.json`. This policy only allows incoming traffic to a private custom domain name from the VPC endpoint ` `vpce-abcd1234efg``: @@ -126 +116 @@ JSON - "aws:SourceVpce": "vpce-abcd1234efg" + "aws:SourceVpce": "vpce-abcd1234" @@ -134,2 +123,0 @@ JSON -In this example, you define your `policy` by using an escaped string. You can also define your `policy` by loading parameters from a file. - @@ -144 +132 @@ The following [create-domain-name](https://docs.aws.amazon.com/cli/latest/refere - --policy "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Principal\": \"*\",\"Action\": \"execute-api:Invoke\",\"Resource\":[\"execute-api:/*\"]},{\"Effect\": \"Deny\",\"Principal\": \"*\",\"Action\": \"execute-api:Invoke\",\"Resource\":[\"execute-api:/*\"],\"Condition\":{\"StringNotEquals\":{\"aws:SourceVpce\": \"vpce-abcd1234efg\"}}}]}" + --policy file://policy.json @@ -148,8 +135,0 @@ The output will like the following. -JSON - -JSON - - -**** - - @@ -171 +151 @@ JSON - "policy": "{\\\"Version\\\":\\\"2012-10-17\\\",\\\"Statement\\\":[{\\\"Effect\\\":\\\"Allow\\\",\\\"Principal\\\":\\\"*\\\",\\\"Action\\\":\\\"execute-api:Invoke\\\",\\\"Resource\\\":\\\"execute-api:\\/*\\\"},{\\\"Effect\\\":\\\"Deny\\\",\\\"Principal\\\":\\\"*\\\",\\\"Action\\\":\\\"execute-api:Invoke\\\",\\\"Resource\\\":\\\""execute-api:\\/*\\\",\\\"Condition\\\":{\\\"StringNotEquals\\\":{\\\"aws:SourceVpce\\\":\\\"vpce-abcd1234efg\\\"}}}]}" + "policy": "..."