amplify-hosting [Feature request] IP allowlisting: How to block specific IPs from accessing the backend?

Note: If your question is regarding the AWS Amplify Console service, please log it in the official AWS Amplify Console forum

** Which Category is your question related to? ** Security

** What AWS Services are you utilizing? ** Appsync, Amplify, Cloudfront, Lambda

** Provide additional details e.g. code snippets ** I created an amplify graphql project thru AWS Amplify pipeline with custom domain. I need to block some ip ranges for some security reasons. Is it currently possible to add allowed IP ranges thru paramaters/templates?

Jun 30 '19 22:06 incr3m

@incr3m Let me take this back to the team, because it involves other services too, it is out of scope for the CLI for sure, but perhaps we can come up with an answer to your question.

Jul 01 '19 15:07 attilah

#8

Jul 30 '19 17:07 swaminator

Would love something like that.

Jun 01 '20 18:06 marlonmarcello

Is this feature available now? I deployed the following website frontEnd: React + Amplify backEnd: apigateway + lambda I want to restrict the access to only my company network Made a resource policy to restrict ip access for the APIGateway for the backEnd I am using the password authentication for now in the frontEnd. But How to add ip restriction in amplify?

Jun 05 '20 07:06 Vineeth-Avvaru

@Vineeth-Avvaru nope, not available yet.

Jul 05 '20 16:07 mwarkentin

if you are hosting the frontend in S3 could you not apply a bucket policy to restrict access to certain IP addresses? Something like: "Version": "2012-10-17", "Id": "IPRestrict", "Statement": [{ "Sid": "IPRestrict", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::awsexamplebucket", "arn:aws:s3:::awsexamplebucket/*" ], "Condition": { "NotIpAddress": { "aws:SourceIp": [ "10.10.10.10/32", "22.22.22.22/32" ] } } }] }

Nov 05 '20 18:11 pauljflo

@pauljflo

if you are hosting the frontend in S3 could you not apply a bucket policy to restrict access to certain IP addresses? Something like: "Version": "2012-10-17", "Id": "IPRestrict", "Statement": [{ "Sid": "IPRestrict", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::awsexamplebucket", "arn:aws:s3:::awsexamplebucket/*" ], "Condition": { "NotIpAddress": { "aws:SourceIp": [ "10.10.10.10/32", "22.22.22.22/32" ] } } }] }

If you use amplify add hosting and choose s3andCloudFront which is PROD build you have the ability to modify these settings through cloudfront directly, however if you mean choosing S3Hosting which is DEV perhaps through there you may add those settings you mentioned however you are limited to http and not https. You could create a cloudfront distribution directly and add the s3 bucket as its source origin.

Nov 30 '20 17:11 IsaacTrevino

any support for network-only accessible amplify apps in the near future? (next few months)

Jan 06 '21 18:01 corydorning

The example I mentioned above allows me to use WAF which restricts it to my company's static ip.

But to answer your question, amplify console directly does not have this feature.

And from my experience anything is possible with AWS just got to dig.

Jan 06 '21 20:01 IsaacTrevino

Is it still on roadmap?

Apr 07 '21 03:04 ckho-wkcda

This would come in handy for using Amplify + Lambda (Puppeteer). That way I can make it so that only the Lambda function can access the Amplify website and take the screenshots needed.

Jul 25 '21 21:07 RealDrewKlayman

Upvote? Still on roadmap?

Nov 21 '21 01:11 jbbjbb

Thats a basic feature everyone needs. I donno why they are not still supporting it.

Nov 22 '21 08:11 gvsakhil

Watching this. We would like to use Amplify, but cannot until there's some security resolution here.

Dec 22 '21 22:12 kramer99

I'll add my grain of salt since I'm yet another developer who'll have to dig around the problem. Since I work for a cybersec enterprise, permissions are very tight. We could successfully restrict by IP by using S3 and CloudFront in cahoots with WAF (manually configured, boo!)

Sadly, the deployment team will not have access to the CLI. We basically drop the code within TerraForm to create the amplify app from a codecommit repo. Since the S3 hosting requires an "amplify publish" to build and update webapp, we're losing the fun of having the whole pipeline rebuild the app on a code commit.

Again, since permissions are tight, we just can't allow ourselves to have AmplifyAdmin lying around on a user just in case a push was made.

Having WAF possible to integrate with the default deployment method would be gold. For now I'll search for a workaround!

Jan 07 '22 13:01 Knowledge-Labz

Any news here on how to restrict to amplify only to the company network? Thanks!

Jun 08 '22 18:06 lozanet2005

@lozanet2005 my current workaround is like this removing Amplify Hosting from pipeline (for now).

upload build artifacts to private S3 bucket
connect that bucket to cloudfront
put WAF in front of the cloudfront

Jun 11 '22 13:06 kernelsoe

Still no solutions with using Amplify directly? Only workarounds?

Sep 07 '22 13:09 NitroBoss

Hey all, I found a solution that meets my requirements, namely preventing access to data (this will be an additional layer of defence). Access to website = allowed Requests to graphql APIs = blocked. Essentially:

Go to your APIs AppSync Settings and setup WAF.
Follow this: https://aws.amazon.com/premiumsupport/knowledge-center/waf-allow-my-ip-block-other-ip/

Let me know if you need more details.

Oct 02 '22 01:10 bombchu

Hi AWS team, any update on this request? It's been 4 years and I believe this should have been a feature Amplify shipped with. Please note I will likely have to switch away from Amplify because of the lack of support for a private VPC.