As you may know, AWS publishes its current IP address ranges in JSON format. So there is a workaround that you can whitelist the IP CIDR ranges used by API Gateway from the public AWS IP ranges. For example you can download the json file which includes all current IP address ranges of AWS. Then you need to filter the region (eg. us-east-1) and the service (API_GATEWAY) accordingly.

In addition, I would like to mention that Amazon IP ranges are subject to change. Whenever there is a change, notifications are sent to subscribers of ‘AmazonIpSpaceChanged’ SNS topic. You can subscribe to this topic and update the WAF or security group when there is an update.

reference:

https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html