I need to write a WAF rule such that access to API gateway is blocked for the users of other AWS accounts.
for now, I'm exploring the implementation of WAF but I have managed to create CfnWebCl with a rule statement to be ipSetReferenceStatement such that I'm creating an IP set of the allowed ips, but that's not what I want, I want the users of other aws accounts here's sample code.
this.commserviceAllowedIpSet = new CfnIPSet(this, 'commservice-allowedIps', {
name: 'allowed ips',
ipAddressVersion: 'IPV4',
addresses: [],
scope: 'REGIONAL',
});
this.commserviceWebAcl = new CfnWebACL(this, 'commservice-webacl', {
defaultAction: {
block: {},
},
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: 'commservice-webacl',
sampledRequestsEnabled: true,
},
scope: 'REGIONAL',
rules: [
{
statement: {
ipSetReferenceStatement: {
arn: this.commserviceAllowedIpSet.attrArn,
},
},
name: 'abc',
priority: 0,
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: 'allowed-requests',
sampledRequestsEnabled: true,
},
},
],
});
is there any other rule statement that I can use other than ipSetReferencesStatement? apologies if the question is not clear.
You can't do this with WAF. The proper way to do is using API Gateway resource policies. By writing such a policy, you can restrict access to the API only to your own account.