Rule: API Gateway Should be Associated with an AWS WAF Web ACL
This rule ensures that API Gateway is properly secured by associating it with an AWS WAF web ACL.
| Rule | API Gateway should be associated with an AWS WAF web ACL |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule Description
Associating an AWS Web Application Firewall (WAF) Web ACL with an API Gateway is a recommended security best practice to enhance the protection of your API endpoints against common web-based attacks.
By implementing this rule, you can leverage AWS WAF's advanced security features to filter and monitor incoming traffic to your API Gateway, ensuring that only legitimate requests are allowed while potentially blocking or mitigating malicious activities.
Troubleshooting Steps
If you face any issues while associating an AWS WAF Web ACL with API Gateway, you can follow these troubleshooting steps:
- 1.
Verify WAF Web ACL Existence: Ensure that you have an existing WAF Web ACL in the same region as your API Gateway deployment. If not, create a new WAF Web ACL and configure the necessary rules and conditions.
- 2.
Check IAM Permissions: Confirm that the IAM user or role you are using for API Gateway administration has the necessary IAM permissions to associate a WAF Web ACL. The required permissions for associating an ACL may include
andwaf:AssociateWebACL
, depending on your specific use case.apigateway:UpdateRestApi - 3.
Ensure Correct Resource ARN: While associating the WAF Web ACL with API Gateway, make sure you provide the correct resource ARN for your API Gateway endpoint. Double-check that you are referencing the correct API Gateway REST API ID or API ID as per your AWS architecture.
- 4.
Examine WAF Regional Endpoint: If you are using an API Gateway with a regional endpoint, ensure that you are associating the WAF Web ACL with the regional endpoint and not with the edge-optimized or private endpoints.
- 5.
Check Correlation IDs: If you experience any issues while testing the API Gateway endpoints after associating the WAF Web ACL, check for any correlation IDs in the logs. These IDs can help identify specific error messages in CloudWatch Logs, AWS WAF Logs, or API Gateway Execution Logs, making it easier to diagnose the problem.
Necessary Code
No specific code is required for associating an AWS WAF Web ACL with API Gateway. The association can be performed through the AWS Management Console or by using AWS CLI commands.
Step-by-Step Guide
To associate an AWS WAF Web ACL with your API Gateway, follow these step-by-step instructions:
- 1.
Open AWS Management Console: Sign in to the AWS Management Console using your AWS account credentials.
- 2.
Navigate to API Gateway: Go to the API Gateway service by searching for "API Gateway" in the service search bar or by selecting it from the services menu.
- 3.
Select the API: From the list of available APIs, select the API to which you want to associate the WAF Web ACL.
- 4.
Choose Stages: In the left sidebar, select the "Stages" option under the selected API.
- 5.
Choose Stage: Choose the specific stage (e.g., Production, Beta) for which you want to associate the WAF Web ACL.
- 6.
Open Stage Editor: Once the stage is selected, click on the "Stage Editor" button.
- 7.
Configure WAF Web ACL: In the Stage Editor, scroll down to the "Web Application Firewall" section and click on the "Configure WAF" button.
- 8.
Select WAF Web ACL: In the Configure WAF Web ACL dialog box, choose the desired Web ACL from the dropdown menu. This list will contain the WAF Web ACLs available in the same AWS region.
- 9.
Save Changes: After selecting the appropriate WAF Web ACL, click on the "Save Changes" button to associate it with the selected stage of your API Gateway.
- 10.
Deploy API: Once the association is saved, you need to redeploy the API for the changes to take effect. Click on the "Actions" button in the API Gateway console and select "Deploy API." Choose the desired deployment stage and confirm the deployment.
Upon completing these steps, the specified WAF Web ACL will be associated with the chosen stage of your API Gateway, providing enhanced security against web-based attacks.