Thanks for the comment Ryan. You can modify so that only the ALB IP addresses are allowed in the API Policy, but need to know what they are. In CDK it can be done using custom resources to look up ALB IPs after deployment. Or you can do it with a security group on the API VPC Endpoint - only catch is that will apply to all private API's in the VPC so may need some additional configuration.