Use the Conformity Knowledge Base AI to help improve your Cloud Posture

API Gateway Integrated With AWS WAF

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AG-007

Ensure that AWS Web Application Firewall (WAF) is integrated with Amazon API Gateway to protect your APIs from common web exploits such as SQL injection attacks, cross-site scripting (XSS) attacks and Cross-Site Request Forgery (CSRF) attacks that could affect API availability and performance, compromise API data security or consume excessive resources.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Associate API Gateway API stages with AWS WAF Web Access Control Lists (ACLs) to monitor and filter the HTTP and HTTPS requests that are forwarded to your API to add protection against common web attacks. For example, you can assign AWS WAF Web ACLs to your API stages to block requests based on IP address or range of IP addresses originating from a specific country or region or block requests containing malicious SQL code or malicious scripts. You can also implement Web ACLs to block bad bots, content scrapers and attacks from specific user-agents.


Audit

To determine if your Amazon API Gateway API stages are associated with WAF Web ACLs, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to open the APIs listing page.

04 Choose the API that you want to examine then click on its name (link) to access the API details and configuration.

05 In the navigation panel, within the API submenu, click Stages to list the stages created for the selected API.

06 Under Stages, select the API stage that you want to examine.

07 Select Settings tab from the dashboard top panel.

08 On the Settings panel, in the Web Application Firewall (WAF) section, check the Web ACL dropdown list. If there is no Web ACL available within the Web ACL dropdown list, the selected Amazon API Gateway API stage is not currently associated with an AWS WAF Web ACL to protect the API against common web exploits.

09 Repeat steps no. 6 – 8 to verify the AWS WAF – API Gateway integration for other API stages created for the selected API.

10 Repeat steps no. 4 – 8 to verify other Amazon API Gateway APIs available in the current region.

11 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run get-rest-apis command (OSX/Linux/UNIX) using custom query filters to list the IDs of the APIs available in the selected AWS region:

aws apigateway get-rest-apis
    --region us-east-1
    --output table
    --query 'items[*].id'

02 The command output should return a table with the requested API IDs:

----------------
|  GetRestApis |
+--------------+
|  abcabcdabc  |
|  aabbccaabb  |
|  abcdabcdab  |
+--------------+

03 Run get-stages command (OSX/Linux/UNIX) using the ID of the API that you want to examine as identifier and custom query filters to get the name(s) of the API stage(s) created for the selected API:

aws apigateway get-stages
    --region us-east-1
    --rest-api-id abcabcdabc
    --output table
    --query 'item[*].stageName'

04 The command output should return a table with the API stage name(s):

----------------
|   GetStages  |
+--------------+
|  Production  |
|  Staging     |
|  Development |
+--------------+

05 Execute again get-stages command (OSX/Linux/UNIX) using the name of the API stage that you want to examine as identifier, e.g. "Production", and custom query filters to get the ARN of the AWS WAF Web ACL associated with the selected API Gateway API stage:

aws apigateway get-stages
    --region us-east-1
    --rest-api-id abcabcdabc
    --query 'item[?(stageName==`Production`)].webAclArn'

06 The command output should return the requested configuration information:

[]

If get-stages command output returns an empty array, as shown in the example above, the selected Amazon API Gateway API stage is not associated with an AWS WAF Web ACL to protect against common web attacks.

07 Repeat step no. 5 and 6 to check the AWS WAF – API Gateway integration for other API stages created for the selected API.

08 Repeat steps no. 3 – 7 to verify other AWS API Gateway APIs available in the selected region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the audit process for other regions.

Remediation / Resolution

To enable Amazon API Gateway - Amazon WAF integration by associating API stages with Web ACLs, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs.

04 Choose the API that you want to reconfigure, then click on its name to access the API configuration.

05 In the navigation panel, within the API submenu, click Stages to list the stages created for the selected API.

06 Under Stages, select the API stage that you want to reconfigure in order to enable API Gateway - Amazon WAF integration (see Audit section part I to identify the right stage).

07 Select Settings tab from the dashboard top panel.

08 In the Web Application Firewall (WAF) section, click the Create Web ACL link next to the Web ACL dropdown list and follow the steps outlined in this conformity rule to create your own Amazon WAF Web Access Control List (Web ACL).

09 Once your WAF Web ACL is created, return to the Amazon API Gateway console, select the name of the new ACL from the Web ACL list and click Save Changes to associate your Web ACL with the selected API stage.

10 If required, repeat steps no. 6 – 9 to attach your newly created Web ACL to other API stages available for the selected API.

11 Repeat steps no. 4 – 10 to reconfigure other Amazon API Gateway APIs available within the selected region.

12 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Create your own Amazon WAF Web Access Control List (Web ACL) by following the simple step-by-step instructions outlined in this conformity rule.

02 Run associate-web-acl command (OSX/Linux/UNIX) using the ID of the AWS WAF Web ACL created at the previous step (e.g. "aabbccdd-abcd-abcd-abcd-aabbccddaabb") and the ARN of the API Gateway API stage that you want to reconfigure (e.g. "arn:aws:apigateway:us-east-1::/restapis/abcabcdabc/stages/Production") as command parameters to associate your newly created Web ACL with the selected Amazon API Gateway API stage for protection against common web attacks. The ARN of the API stage is constructed using the following format: arn:aws:apigateway:<aws-region>::/restapis/<api-id>/stages/<api-stage>. The associate-web-acl command request does not produce an output:

aws waf-regional associate-web-acl
    --region us-east-1
    --web-acl-id 'aabbccdd-abcd-abcd-abcd-aabbccddaabb'
    --resource-arn 'arn:aws:apigateway:us-east-1::/restapis/abcabcdabc/stages/Production'

03 If required, repeat step no. 2 to attach your newly created Web ACL to other API stages available for the selected API.

04 Repeat step no. 2 and 3 to reconfigure other Amazon API Gateway APIs available in the selected region.

05 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.

References

Publication date Jan 27, 2019