AWS API Gateway Development is not integrated with the AWS Web Application Firewall (WAF)

Description:

The AWS Web Application Firewall (WAF) provides a protective barrier to secure applications by filtering and monitoring HTTP/HTTPS traffic between the application and the Internet. When AWS API Gateway development stages are not integrated with AWS WAF, the associated APIs might be more vulnerable to web exploits that could affect their availability, compromise security, or consume excessive resources.


Remediation:

1. Integrate AWS WAF with your API Gateway:

AWS Management Console:
  • Navigate to the AWS WAF dashboard.
  • Create a new WebACL or select an existing one.
  • Under the "AWS resources using this web ACL", click on "Add association".
  • Choose your API Gateway from the list and select the stage you want to associate.
AWS CLI:
aws wafv2 associate-web-acl \
    --web-acl-arn "arn:aws:wafv2:region:account-id:global/webacl/WebAclName/WebAclId" \
    --resource-arn "arn:aws:apigateway:region::/restapis/RestApiId/stages/StageName"

2. For New API Gateway Deployments:

AWS Management Console:
  • After deploying a new stage in API Gateway, navigate to the WAF dashboard and associate the newly created stage with your WebACL.
AWS CLI:
aws wafv2 associate-web-acl \
    --web-acl-arn "arn:aws:wafv2:region:account-id:global/webacl/WebAclName/WebAclId" \
    --resource-arn "arn:aws:apigateway:region::/restapis/RestApiId/stages/NewStageName"

3. Regularly Update WAF Rules:

  • Based on observed traffic and known web threats, continuously update your WAF rules to ensure optimal protection.

4. Monitor & Audit:

  • Activate AWS CloudTrail and CloudWatch to monitor and log events related to API Gateway and WAF.
  • Regularly review logs to identify potential threats and ensure the WAF is effectively filtering malicious traffic.

5. Policy and Training:

Educate developers about the importance of integrating API Gateway with AWS WAF. Regularly update this policy and conduct training sessions to ensure adherence.


Integrating AWS API Gateway with the AWS Web Application Firewall helps to protect your APIs from common web threats, ensuring the security and availability of your services while adhering to best security practices.