Ensure API gateway has WAF

Integrate AWS Web Application Firewall (WAF) with API Gateway to guard APIs against common web threats like SQL injection, XSS, and CSRF attacks, which can compromise data security and degrade performance.

Risk Level: Low
Cloud Entity: Amazon API Gateway
CloudGuard Rule ID: D9.AWS.NET.95
Covered by Spectral: No
Category: Networking & Content Delivery


ApiGateway should have wafRegional


From Portal 1. Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway 2. In the APIs navigation pane, choose the API, and then choose Stages. 3. In the Stages pane, choose the name of the stage. 4. In the Stage Editor pane, choose the Settings tab. 5. In the AWS WAF web ACL dropdown list, choose the Regional web ACL that you want to associate with this stage.
From TF

	resource "aws_wafv2_web_acl" "example" { name  = "web-acl-association-example" scope = "REGIONAL"
default_action { allow {} }
visibility_config { cloudwatch_metrics_enabled = false metric_name                = "friendly-metric-name" sampled_requests_enabled   = false } }
resource "aws_wafv2_web_acl_association" "example" { resource_arn = aws_api_gateway_stage.example.arn web_acl_arn  = aws_wafv2_web_acl.example.arn }
``` **From Command Line** 
```bash Terminalaws waf-regional associate-web-acl --web-acl-id <web-acl-id> --resource-arn 'arn:aws:apigateway:<region>::/restapis/<rest-api-id>/stages/<sage>'

References 1. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html 2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_association

Amazon API Gateway

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create REST and WebSocket APIs that act as a ���front door��� for applications to access data, business logic, or functionality from your backend services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, any web application, or real-time communication a

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset