Enforce the Amazon API Gateway System Ingress Policy

The following policies are automatically installed when you add the Amazon API Gateway system.

• For the ingress policy type, click policy > Ingress.

The shell script triggered in step #6 of the Quick Start repeatedly executes the following HTTP calls in an interval of 30 seconds, pretending to be different users to help generate sample data for visualization.

curl --user alice:password example-app/finance/salary/alice
curl --user bob:password example-app/finance/salary/alice
curl --user bob:password example-app/finance/salary/charlie
curl --user david:password example-app/finance/salary/bob
curl --user david:password example-app/hr/dashboard
curl --user eve:password example-app/admin
curl -is httpbin.org/anything;

By default, the ingress policy allows all traffic to the example application service. Click on the Decisions tab to verify all the Allowed decisions from the newly created Amazon API Gateway system.

The Amazon API Gateway system Quick Start provides a link to replace the sample ingress policy. With this ingress policy published, example-app can receive ingress traffic only on the allowed endpoint /finance/salary. Switch to the Decisions tab and verify that traffic to the /hr/dashboard and /admin paths is Denied.