AWS API Gateway Policy to only allow a specific host URL to access

Question

I have configured an API Gateway endpoint in AWS, and am trying to secure it using its access policy.

I am aware that it's possible to limit the access of the endpoint to specific IP addresses, but is it also possible to restrict access based on the host that is calling the API? AWS has docs on examples of these access policies, as shown below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
                "arn:aws:execute-api:region:account-id:api-id/*"
            ]
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
               "arn:aws:execute-api:region:account-id:api-id/*"
            ],
            "Condition" : {
                "IpAddress": {
                    "aws:SourceIp": ["192.0.2.0/24", "198.51.100.0/24" ]
                }
            }
        }
    ]
}

For example, I have an application www.example.com. I want to add something in the access policy to only allow www.example.com to successfully submit a request to the API.

Answer 1

Could you not just use an API KEY that those specific hosts or host can use to gain access to the API?

Answer 2

I am not sure if you're still trying to resolve this problem, but I don't think you are able to handle URL whitelisting at the API Gateway level.

Here are the possible API Gateway resource policies listed in the AWS docs:

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-aws-condition-keys.html