Amazon API Gateway System Policy Authoring
Policy authoring with Amazon API Gateway defines which HTTP APIs should be allowed or denied. These policies are enforced by Amazon API Gateway, and a rejected API request is never seen by the service.
Pre-installed Policies
When the Amazon API Gateway system is installed, an ingress policy is automatically installed. To see the policy, navigate to your Amazon API Gateway system in the Styra DAS UI and click the Ingress folder. The ingress policy either allows or denies incoming traffic.
Write Ingress Policies
When authoring policies, use OPA's policy language, Rego.
For an introduction to Rego, refer to:
-
Free Video Training: Styra Academy.
When writing Rego policies, you need to know the format of the JSON that is provided to each of your policies as input. The following shows a sample input provided by AWS API Gateway for ingress policies. This sample includes the HTTP method, requested path, source address, and headers with destination address.
{
"headers":{
"accept":"*/*",
"host":"192.168.49.2:31961",
"user-agent":"curl/7.68.0"
},
"method":"GET",
"path":"/finance/salary/bob",
"remote_address":"172.17.0.1"
}
When writing policies, the allow or deny rules are written to describe the conditions under which a request is allowed or denied. By default, all the requests are all allowed, so you must write policy to deny them.
For example, if you want to allow all GET
requests and deny all POST
requests to the root path, then write the following allow
and deny
rules.
# allow GET requests to the root path
allow {
input.method == "GET"
input.path == "/"
}
# deny POST requests to the root path
deny {
input.method == "POST"
input.path == "/"
}
The decision mapping for Amazon API Gateway systems rely on the presence of well-known fields to correctly parse the results. The decision mapper expects an allowed field in the result.
{
"result": {
"allowed": false // boolean value to determine if decision was Allowed or Denied
// an absence of this value will mark the decision as Unknown
}
}