I am not sure if this is the best place for this question, but I would say that this could be a problem in the documentation (otherwise in the AWS itself).
In AWS Gateway WebSocket API, I am trying to control the access to my WebSocket endpoint by giving some access rights to some users but not all of them, particularly using IAM, as described in the official docs:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-control-access-iam.html
As a test, when I try to Allow
/Deny
some users with a specific identity using a specific policy (exactly the policy shown in the link above) from connecting to my AWS WebSocket endpoint, this works properly (so controlling the access to $connect
works).
My use case is to allow these users to connect (invoke $connect
) but to prevent them from invoking some other custom routes (so they will connect and receive some messages but will not be able to invoke specific routes). However, when I try to control the access to any other route (both predefined like $default
or any custom route) the connected users are still able to invoke the custom routes even though they are Deny
ed in the policy.
Could the documentation be missing something? Why are the connected users still able to invoke the other custom secret routes? The policy used is exactly the one provided by the official docs in the link above.
And as said, I know that the policy and the identity are working, because I am able to Deny
and Allow
the $connect
route, but no other routes.
So after a user connects to the WebSocket (that user has the identity that Allow
s $connect
), the user is also able to send the following message (and the message arrives to the handler of the secret route), even though the secret route is denied in the policy.
Notice, invokeCommand
is my secret route.
{ "action": "invokeCommand", "command": "Secret route was invoked, but it actually should NOT!" }
I totally do not understand why this route is still invokable.
Here is the Policy
I am using:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:277312736995:gvcpcdepy1/*/$connect"
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:277312736995:gvcpcdepy1/*/invokeCommand"
}
]
}
Here is the log of the access to the WebSocket API:
2021-05-14T09:41:44.226+02:00 (fVXSzFw4liAFdRA=) Extended Request Id: fVXSzFw4liAFdRA=
2021-05-14T09:41:44.226+02:00 (fVXSzFw4liAFdRA=) Verifying Usage Plan for request: fVXSzFw4liAFdRA=. API Key: API Stage: gvcpcdepy1/dev
2021-05-14T09:41:44.227+02:00 (fVXSzFw4liAFdRA=) API Key authorized because route 'invokeCommand' does not require API Key. Request will not contribute to throttle or quota limits
2021-05-14T09:41:44.227+02:00 (fVXSzFw4liAFdRA=) Usage Plan check succeeded for API Key and API Stage gvcpcdepy1/dev
2021-05-14T09:41:44.228+02:00 (fVXSzFw4liAFdRA=) Starting execution for request: fVXSzFw4liAFdRA=
2021-05-14T09:41:44.228+02:00 (fVXSzFw4liAFdRA=) WebSocket Request Route: [invokeCommand]
2021-05-14T09:41:44.228+02:00 (fVXSzFw4liAFdRA=) WebSocket API [gvcpcdepy1] received message from client [Connection Id: fVXRcdAYliACE8A=].
2021-05-14T09:41:44.228+02:00 (fVXSzFw4liAFdRA=) WebSocket API [gvcpcdepy1] received message from client [fVXRcdAYliACE8A=]. Message: [{"requestContext":{"routeKey":"invokeCommand","messageId":"fVXSzdAuliACE8A=","eventType":"MESSAGE","extendedRequestId":"fVXSzFw4liAFdRA=","requestTime":"14/May/2021:19:41:44 +0000","messageDirection":"IN","stage":"dev","connectedAt":1621021295576,"requestTimeEpoch":1621021304225,"identity":{"sourceIp":"85.127.7.191"},"requestId":"fVXSzFw4liAFdRA=","domainName":"gvcpcdepy1.execute-api.eu-central-1.amazonaws.com","connectionId":"fVXRcdAYliACE8A=","apiId":"gvcpcdepy1"},"body":"{ \"action\": \"invokeCommand\", \"command\": \"DEVICE FIRMWARE VERSION\" }","isBase64Encoded":false}].
2021-05-14T09:41:44.228+02:00 (fVXSzFw4liAFdRA=) Endpoint request URI: https://lambda.eu-central-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:eu-central-1:277312736995:function:on-controller-dev-invokeCommandHandler/invocations
2021-05-14T09:41:44.228+02:00 (fVXSzFw4liAFdRA=) Endpoint request headers: {x-amzn-lambda-integration-tag=fVXSzFw4liAFdRA=, Authorization=***************************************************************************************************************************************************************************************************************************************************************************************************************************0b7dbc, X-Amz-Date=20210514T194144Z, x-amzn-apigateway-api-id=gvcpcdepy1, X-Amz-Source-Arn=arn:aws:execute-api:eu-central-1:277312736995:gvcpcdepy1/dev/invokeCommand, Accept=application/json, User-Agent=AmazonAPIGateway_gvcpcdepy1, X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGoaDGV1LWNlbnRyYWwtMSJHMEUCIEKlbtIAmHhPU4NtfPnMaH1qTmd5aPQJWGzg52NzdWwFAiEA2bgH6hS8nxIvme60u7PxI4EL6b9+k0oLM2nbQJCrjGAqwwMI8///////////ARACGgw0NzQyNDAxNDY4MDIiDHgoKWJs1yfdnEKQMiqXA5Y2zOztnyyuj2yLzZlYWoAidplaB2/NSj8yFPNKJFo4yZOPc6sLY3MSwJTOhvh2fKtoJ38JUIHYC7hXLmy2ZXwAXD9VBcpadBtdoy8npQdkeS8HZOHYpx/7XmIi+Lkekmj4mkXA3qBLA4RW2vnZwxY0btpSjDGaGLI57sh+zV2 [TRUNCATED]
2021-05-14T09:41:44.228+02:00 (fVXSzFw4liAFdRA=) Endpoint request body after transformations: {"requestContext":{"routeKey":"invokeCommand","messageId":"fVXSzdAuliACE8A=","eventType":"MESSAGE","extendedRequestId":"fVXSzFw4liAFdRA=","requestTime":"14/May/2021:19:41:44 +0000","messageDirection":"IN","stage":"dev","connectedAt":1621021295576,"requestTimeEpoch":1621021304225,"identity":{"sourceIp":"85.127.7.191"},"requestId":"fVXSzFw4liAFdRA=","domainName":"gvcpcdepy1.execute-api.eu-central-1.amazonaws.com","connectionId":"fVXRcdAYliACE8A=","apiId":"gvcpcdepy1"},"body":"{ \"action\": \"invokeCommand\", \"command\": \"DEVICE FIRMWARE VERSION\" }","isBase64Encoded":false}
2021-05-14T09:41:44.228+02:00 (fVXSzFw4liAFdRA=) Sending request to https://lambda.eu-central-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:eu-central-1:277312736995:function:on-controller-dev-invokeCommandHandler/invocations
2021-05-14T09:41:44.392+02:00 (fVXSzFw4liAFdRA=) Received response. Status: 200, Integration latency: 164 ms
2021-05-14T09:41:44.392+02:00 (fVXSzFw4liAFdRA=) Endpoint response headers: {Date=Fri, 14 May 2021 19:41:44 GMT, Content-Type=application/json, Content-Length=44, Connection=keep-alive, x-amzn-RequestId=9edb5ae5-c7e6-4a62-8d82-a91d7e094759, x-amzn-Remapped-Content-Length=0, X-Amz-Executed-Version=$LATEST, X-Amzn-Trace-Id=root=1-609ed278-d052a897768ba5f05cb18db1;sampled=0}
2021-05-14T09:41:44.392+02:00 (fVXSzFw4liAFdRA=) Endpoint response body before transformations: {"statusCode":200,"body":"Command invoked."}
2021-05-14T09:41:44.392+02:00 (fVXSzFw4liAFdRA=) AWS Integration Endpoint RequestId : 9edb5ae5-c7e6-4a62-8d82-a91d7e094759
2021-05-14T09:41:44.393+02:00 (fVXSzFw4liAFdRA=) Message from client [Connection Id: fVXRcdAYliACE8A=] sent to API [gvcpcdepy1] with response status code [200].
Could any one help me to understand why is this not working or what I can do to get it working?