SAMでAPIにIP制限をかける

以下の構文でいけます。

この辺みながらコツコツいじりました
https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md

# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
  Function:
    Timeout: 3
  Api:
    Auth:
      ResourcePolicy:
        CustomStatements:
        - Effect: Allow
          Principal: "*"
          Action: execute-api:Invoke
          Resource: "*"
          Condition:
            IpAddress:
              aws:SourceIp: "221.250.87.66"