IP Address ranges provided by AWS is provided as a JSON file here. These address ranges keep on changing. The addresses listed for API_GATEWAY are egress only.
For restrict/allow the traffic coming from API Gateway, Based on you are using a Regional or an Edge-Optimized endpoint you can whitelist entire IP address range of EC2 or CloudFront service. The service identifiers that can be used to identify IP address are :
For Regional API endpoint : "API_GATEWAY", "AMAZON", "EC2" For Edge-Optimized endpoint : "CLOUDFRONT" For HTTP API : "API_GATEWAY", "AMAZON", "EC2"
CloudFront IP list has two ranges of IP addresses CLOUDFRONT_GLOBAL_IP_LIST and CLOUDFRONT_REGIONAL_EDGE_IP_LIST. It would be better If you Whitelist both ranges.
Amazon IP ranges are subject to change. Whenever there is a change, notifications are sent to subscribers of ‘AmazonIpSpaceChanged‘ SNS topic. You can subscribe to this topic and can update the firewall rules/IP Tables accordingly. https://aws.amazon.com/blogs/aws/subscribe-to-aws-public-ip-address-changes-via-amazon-sns/
You can use following commands to filter IP addresses from JSON file here using jq
jq -r '.prefixes[] | select(.region=="SPECIFY_REGION") | select(.service=="EC2") | .ip_prefix' < ip-ranges.json
jq -r '.prefixes[] | select(.region=="SPECIFY_REGION") | select(.service=="CLOUDFRONT") | .ip_prefix' < ip-ranges.json