[Feature request] IP allowlisting: How to block specific IPs from accessing the backend?

[incr3m]

Note: If your question is regarding the AWS Amplify Console service, please log it in the official AWS Amplify Console forum

** Which Category is your question related to? ** Security

** What AWS Services are you utilizing? ** Appsync, Amplify, Cloudfront, Lambda

** Provide additional details e.g. code snippets ** I created an amplify graphql project thru AWS Amplify pipeline with custom domain. I need to block some ip ranges for some security reasons. Is it currently possible to add allowed IP ranges thru paramaters/templates?

[attilah]

@incr3m Let me take this back to the team, because it involves other services too, it is out of scope for the CLI for sure, but perhaps we can come up with an answer to your question.

[swaminator]

#8

[marlonmarcello]

Would love something like that.

[Vineeth-Avvaru]

Is this feature available now? I deployed the following website frontEnd: React + Amplify backEnd: apigateway + lambda I want to restrict the access to only my company network Made a resource policy to restrict ip access for the APIGateway for the backEnd I am using the password authentication for now in the frontEnd. But How to add ip restriction in amplify?

[mwarkentin]

@Vineeth-Avvaru nope, not available yet.

[pauljflo]

if you are hosting the frontend in S3 could you not apply a bucket policy to restrict access to certain IP addresses? Something like: "Version": "2012-10-17", "Id": "IPRestrict", "Statement": [{ "Sid": "IPRestrict", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::awsexamplebucket", "arn:aws:s3:::awsexamplebucket/*" ], "Condition": { "NotIpAddress": { "aws:SourceIp": [ "10.10.10.10/32", "22.22.22.22/32" ] } } }] }

[IsaacTrevino]

@pauljflo

if you are hosting the frontend in S3 could you not apply a bucket policy to restrict access to certain IP addresses? Something like: "Version": "2012-10-17", "Id": "IPRestrict", "Statement": [{ "Sid": "IPRestrict", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::awsexamplebucket", "arn:aws:s3:::awsexamplebucket/*" ], "Condition": { "NotIpAddress": { "aws:SourceIp": [ "10.10.10.10/32", "22.22.22.22/32" ] } } }] }

If you use amplify add hosting and choose s3andCloudFront which is PROD build you have the ability to modify these settings through cloudfront directly, however if you mean choosing S3Hosting which is DEV perhaps through there you may add those settings you mentioned however you are limited to http and not https. You could create a cloudfront distribution directly and add the s3 bucket as its source origin.

[corydorning]

any support for network-only accessible amplify apps in the near future? (next few months)

[IsaacTrevino]

The example I mentioned above allows me to use WAF which restricts it to my company's static ip.

But to answer your question, amplify console directly does not have this feature.

And from my experience anything is possible with AWS just got to dig.

[ckho-wkcda]

Is it still on roadmap?

[RealDrewKlayman]

This would come in handy for using Amplify + Lambda (Puppeteer). That way I can make it so that only the Lambda function can access the Amplify website and take the screenshots needed.

[jbbjbb]

Upvote? Still on roadmap?

[gvsakhil]

Thats a basic feature everyone needs. I donno why they are not still supporting it.

[kramer99]

Watching this. We would like to use Amplify, but cannot until there's some security resolution here.

[Knowledge-Labz]

I'll add my grain of salt since I'm yet another developer who'll have to dig around the problem. Since I work for a cybersec enterprise, permissions are very tight. We could successfully restrict by IP by using S3 and CloudFront in cahoots with WAF (manually configured, boo!)

Sadly, the deployment team will not have access to the CLI. We basically drop the code within TerraForm to create the amplify app from a codecommit repo. Since the S3 hosting requires an "amplify publish" to build and update webapp, we're losing the fun of having the whole pipeline rebuild the app on a code commit.

Again, since permissions are tight, we just can't allow ourselves to have AmplifyAdmin lying around on a user just in case a push was made.

Having WAF possible to integrate with the default deployment method would be gold. For now I'll search for a workaround!

[lozanet2005]

Any news here on how to restrict to amplify only to the company network? Thanks!

[kernelsoe]

@lozanet2005 my current workaround is like this removing Amplify Hosting from pipeline (for now).

• upload build artifacts to private S3 bucket
• connect that bucket to cloudfront
• put WAF in front of the cloudfront

[NitroBoss]

Still no solutions with using Amplify directly? Only workarounds?

[bombchu]

Hey all, I found a solution that meets my requirements, namely preventing access to data (this will be an additional layer of defence). Access to website = allowed Requests to graphql APIs = blocked. Essentially:

• Go to your APIs AppSync Settings and setup WAF.
• Follow this: https://aws.amazon.com/premiumsupport/knowledge-center/waf-allow-my-ip-block-other-ip/

Let me know if you need more details.