Ensure that AWS Web Application Firewall (WAF) is integrated with Amazon API Gateway to protect your APIs from common web exploits such as SQL injection attacks, cross-site scripting (XSS) attacks and Cross-Site Request Forgery (CSRF) attacks that could affect API availability and performance, compromise API data security or consume excessive resources.
This rule can help you with the following compliance standards:
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Associate API Gateway API stages with AWS WAF Web Access Control Lists (ACLs) to monitor and filter the HTTP and HTTPS requests that are forwarded to your API to add protection against common web attacks. For example, you can assign AWS WAF Web ACLs to your API stages to block requests based on IP address or range of IP addresses originating from a specific country or region or block requests containing malicious SQL code or malicious scripts. You can also implement Web ACLs to block bad bots, content scrapers and attacks from specific user-agents.
Audit
To determine if your Amazon API Gateway API stages are associated with WAF Web ACLs, perform the following actions:
Remediation / Resolution
To enable Amazon API Gateway - Amazon WAF integration by associating API stages with Web ACLs, perform the following actions:
References
- AWS Documentation
- Amazon API Gateway FAQs
- Use AWS WAF to Protect Your Amazon API Gateway API from Common Web Exploits
- What Are AWS WAF, AWS Shield, and AWS Firewall Manager?
- Working with Web ACLs
- Associating or Disassociating a Web ACL with an Amazon API Gateway API, a CloudFront Distribution or an Application Load Balancer
- AWS Command Line Interface (CLI) Documentation
- apigateway
- get-rest-apis
- get-stages
- waf-regional
- associate-web-acl
- AWS Blog(s)
- Amazon API Gateway adds support for AWS WAF