AWS API Gateway ignores auth policy returned from the Custom Authorizer Lambda Function

Question

I'm trying to implement custom authorization on API Gateway, that would check user's permissions on each particular endpoint behind it, by reading them from the DynamoDB.

I associated the authorizer with the method in question (screenshot below)

The authorizer seems to be working ok, and it returns policy that looks fine to me (have a look underneath)

{
    "policyDocument" : {
        "Version" : "2012-10-17",
        "Statement" : [
            {
                "Action" : "execute-api:Invoke",
                "Effect" : "Deny",
                "Resource" : "arn:aws:execute-api:us-east-2:111111111111:mkvhd2q179/*/GET/api/Test"
            }
        ]
    },
    "principalId"    : "*"
}

However, regardless of the Effect authorizer returned inside the policy document, API Gateway still let's all requests pass. I get the status 200 as well as the result set from the API endpoint underneath.

Any ideas as to why the API Gateway would ignore the policy?

P.S. I tried with the explicit principalID (the username/subject from the token) prior to putting an asterisk there. It behaved the same.

P.P.S Here's completely dummed down version of my Lambda function, currently set up to allways return Deny as policy Effect...

public class Function
{
    public AuthPolicy FunctionHandler(TokenAuthorizerContext request, ILambdaContext context)
    {
        var token = request.AuthorizationToken;

        var stream = token;
        var handler = new JwtSecurityTokenHandler();
        var jsonToken = handler.ReadToken(stream);
        var tokenS = handler.ReadToken(token) as JwtSecurityToken;

        return generatePolicy(tokenS.Subject, "Deny", "arn:aws:execute-api:us-east-2:111111111111:mkvhd2q179/*");
    }

    private AuthPolicy generatePolicy(string principalId, string effect, string resource)
    {

        AuthPolicy authResponse = new AuthPolicy();
        authResponse.policyDocument = new PolicyDocument();
        authResponse.policyDocument.Version = "2012-10-17";// default version
        authResponse.policyDocument.Statement = new Statement[1];
        authResponse.principalId = "*";

        Statement statementOne = new Statement();
        statementOne.Action = "execute-api:Invoke"; // default action
        statementOne.Effect = effect;
        statementOne.Resource = resource;

        authResponse.policyDocument.Statement[0] = statementOne;

        return authResponse;
    }
}

public class TokenAuthorizerContext
{
    public string Type { get; set; }
    public string AuthorizationToken { get; set; }
    public string MethodArn { get; set; }
}

public class AuthPolicy
{
    public PolicyDocument policyDocument { get; set; }
    public string principalId { get; set; }
}

public class PolicyDocument
{
    public string Version { get; set; }
    public Statement[] Statement { get; set; }
}

public class Statement
{
    public string Action { get; set; }
    public string Effect { get; set; }
    public string Resource { get; set; }
}

Answer 1

TL;DR; Remove/change/check the "Resource Policy" set in the Gateway.

I had a similar problem. Somehow I had a "allow * principal access to * resources" policy set in the Resource Policy on the Gateway which was being combined with whatever the Authorizer was returning. I ended up removing all resource policies and let the Authorizer decide.