I'm looking for a way to prevent accidental deletion of an API Gateway. However I can't find an example of an IAM policy to do so.
I'm currently at:
{
"Sid": "DenyDeleteAPIGateway",
"Effect": "Deny",
"Action": [
"apigateway:DELETE"
],
"Resource": [
"arn:aws:apigateway:*::/apis/*"
]
}
But it doesn't seem to work. My goal is simply to prevent actual API Gateway deletion, not block all actions on the actual AWG.
After looking around in the darkest corners of the internet and with the help of Amazon Q, here's the policy to protect your API Gateways from accidental deletion.
{
"Statement": [
{
"Action": "apigateway:DELETE",
"Effect": "Deny",
"NotResource": [
"arn:aws:apigateway:*::/restapis/*/resources/*",
"arn:aws:apigateway:*::/restapis/*/resources/*/methods/*"
],
"Sid": "APIGatewayDenyDelete"
}
],
"Version": "2012-10-17"
}
This denies DELETE actions on an API Gateway resource, while allowing deletion of API Gateway resources and methods.