Rule: API Gateway Stage Should Be Associated with WAF
This rule ensures API Gateway stages are linked with Web Application Firewall for enhanced security.
| Rule | API Gateway stage should be associated with waf |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
Rule Description
This rule requires that the API Gateway stage is associated with a Web Application Firewall (WAF) to meet the CISA Cyber Essentials guidelines. A WAF provides security and protection against common web application attacks, such as SQL injection and cross-site scripting.
Troubleshooting Steps
If the API Gateway stage is not associated with a WAF, follow these steps to troubleshoot and resolve the issue:
- 1.
Verify the API Gateway configuration: Check if the API Gateway has been configured properly and if the desired stage is created. Ensure that the stage has not been skipped or missed during the setup process.
- 2.
Check WAF integration: Confirm whether the Web Application Firewall is properly integrated with the API Gateway. Ensure that the appropriate WAF solution, such as AWS WAF, is selected and properly configured.
- 3.
Validate WAF rules: Check if the WAF rules are correctly defined and associated with the API Gateway stage. Verify that the security policies and rule sets meet the requirements of the CISA Cyber Essentials guidelines.
- 4.
Test API Gateway with WAF: Perform a thorough testing of the API Gateway stage to ensure that the WAF is functioning correctly. Execute test API calls that simulate potential attacks to verify if the WAF is able to detect and block malicious traffic.
Necessary Codes
If the API Gateway stage is not associated with a WAF, use the following AWS CLI command to associate the WAF with the API Gateway:
aws apigateway update-stage --rest-api-id <api-gateway-id> --stage-name <stage-name> --patch-operations op='replace',path='/clientCertificateId',value='<waf-id>'
Replace
<api-gateway-id><stage-name><waf-id>Step-by-step Guide for Remediation
Follow these steps to associate the API Gateway stage with a WAF:
- 1.
Log in to the AWS Management Console and navigate to the API Gateway service.
- 2.
Select the desired API Gateway from the list of available APIs.
- 3.
Click on the "Stages" option on the left-hand side menu.
- 4.
Identify the relevant stage that needs to be associated with the WAF.
- 5.
Click on the stage name to open the stage configuration page.
- 6.
Under the "Security" section, locate the option for integrating with a Web Application Firewall.
- 7.
Choose the appropriate WAF solution, such as AWS WAF, and select the desired rule sets and security policies that comply with the CISA Cyber Essentials guidelines.
- 8.
Save the changes and confirm the association between the API Gateway stage and the WAF.
- 9.
Perform thorough testing of the stage to validate the functionality and effectiveness of the Web Application Firewall.
By following these steps, the API Gateway stage will be successfully associated with the required Web Application Firewall to meet the CISA Cyber Essentials standards.