AWS API Gateway Production is not integrated with the AWS Web Application Firewall (WAF)

Description:

The AWS Web Application Firewall (WAF) is designed to secure applications by filtering and monitoring HTTP/HTTPS traffic between a web application and the Internet. When AWS API Gateway production stages aren't associated with AWS WAF, it exposes these APIs to potential web-based threats, which could adversely impact their availability, security, or consume excess resources.


Remediation:

1. Integrate AWS WAF with your API Gateway:

AWS Management Console:
  • Go to the AWS WAF dashboard.
  • Either create a new WebACL or select an existing one.
  • In the "AWS resources using this web ACL" section, click on "Add association".
  • From the list, select your API Gateway and then choose the production stage you wish to link.
AWS CLI:
aws wafv2 associate-web-acl \
    --web-acl-arn "arn:aws:wafv2:region:account-id:global/webacl/WebAclName/WebAclId" \
    --resource-arn "arn:aws:apigateway:region::/restapis/RestApiId/stages/ProductionStageName"

2. For New API Gateway Deployments in Production:

AWS Management Console:
  • Once you deploy a new production stage in API Gateway, go to the WAF dashboard and associate the newly created stage with your WebACL.
AWS CLI:
aws wafv2 associate-web-acl \
    --web-acl-arn "arn:aws:wafv2:region:account-id:global/webacl/WebAclName/WebAclId" \
    --resource-arn "arn:aws:apigateway:region::/restapis/RestApiId/stages/NewProductionStageName"

3. Regularly Update WAF Rules:

  • Update your WAF rules based on the traffic patterns observed and recognized web threats to ensure maximum protection.

4. Monitoring and Auditing:

  • Activate AWS CloudTrail and CloudWatch to monitor and log events related to both the API Gateway and WAF.
  • Frequently review these logs to identify potential threats and verify that the WAF is filtering out harmful traffic efficiently.

5. Policy and Training:

Ensure developers and relevant stakeholders understand the significance of integrating the API Gateway with AWS WAF, especially for production stages. Regularly review and update policies, and conduct training sessions to reinforce these best practices.


Linking AWS API Gateway (particularly the production stages) with the AWS Web Application Firewall ensures a shield against prevalent web threats. This helps maintain the security and availability of your services while adhering to the best security practices.