Rule: API Gateway Stage Should Be Associated with WAF
This rule focuses on ensuring that API Gateway stages are associated with Web Application Firewall for enhanced security measures.
| Rule | API Gateway stage should be associated with waf |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description:
The rule requires that the stage in the AWS API Gateway must be associated with a Web Application Firewall (WAF) for compliance with NIST 800-53 Revision 5.
The NIST 800-53 Revision 5 provides guidelines for securing federal information systems and organizations. One of the requirements is to apply a Web Application Firewall to protect API Gateway stages from common web-based attacks and ensure the security of the system.
Troubleshooting Steps:
If the API Gateway stage is not associated with a WAF, the following troubleshooting steps can be taken:
- 1.
Check API Gateway Configuration: Verify that the API Gateway is correctly configured and associations with the appropriate stage and WAF are in place.
- 2.
Ensure WAF Configuration: Confirm that the WAF is properly configured with the necessary rules and conditions to protect the API Gateway stage from common web-based attacks.
- 3.
Review API Gateway Logs: Analyze the logs generated by the API Gateway to identify any security-related events or anomalies that may indicate a lack of WAF protection.
- 4.
Check WAF Deployment: Verify that the WAF deployment is active and distributed across the desired availability zones to provide comprehensive protection to the API Gateway stage.
Necessary Code:
To associate an API Gateway stage with a WAF, the AWS CLI can be used. Here's an example command:
aws wafv2 associate-web-acl --web-acl-arn <web_acl_arn> --resource-arn <api_gateway_arn>
Replace
<web_acl_arn><api_gateway_arn>Step-by-Step Guide for Remediation:
To associate an API Gateway stage with a WAF using the AWS Management Console, follow these steps:
Step 1: Open AWS Management Console
Go to the AWS Management Console and log in to your AWS account.
Step 2: Navigate to API Gateway
Navigate to the API Gateway service from the list of available AWS services.
Step 3: Select API Gateway Stage
Select the API Gateway stage that you want to associate with a WAF from the list of available stages.
Step 4: Go to "Web ACL Associations" Tab
In the API Gateway stage's settings, click on the "Web ACL Associations" tab.
Step 5: Click on "Edit"
Click on the "Edit" button to modify the Web ACL associations for the selected stage.
Step 6: Click on "Add/Edit Web ACL"
In the "Web ACL Associations" section, click on the "Add/Edit Web ACL" button.
Step 7: Select WAF ACL
Select the desired WAF ACL that you want to associate with the API Gateway stage from the list of available Web ACLs.
Step 8: Click on "Save"
Click on the "Save" button to save the changes and associate the selected WAF ACL with the API Gateway stage.
Step 9: Verify Association
Verify the association by confirming that the selected WAF ACL is now associated with the API Gateway stage.
By following the above steps, you can successfully associate the API Gateway stage with the required Web Application Firewall (WAF) for compliance with NIST 800-53 Revision 5.