AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
API Gateway Should Be Integrated With WAF
More Info:
AWS Web Application Firewall (WAF) should be integrated with API Gateway to protect your APIs from common web exploits such as SQLi attacks, XSS attacks and Cross-Site Request Forgery (CSRF) attacks.
Risk Level
Low
Address
Security
Compliance Standards
HITRUST, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Check Cause
-
Sign in to the AWS Management Console and open the Amazon API Gateway console at https://console.aws.amazon.com/apigateway/.
-
In the navigation pane, choose the API Gateway that you want to inspect.
-
In the API Gateway dashboard, select the APIs section. This will display a list of all your APIs.
-
For each API, check the ‘Stage’ settings. If there is no Web Application Firewall (WAF) associated with the API, then the API Gateway is not integrated with WAF. This is a misconfiguration as it could potentially expose the API to various types of attacks.
-
List all API Gateways: First, you need to list all the API Gateways in your AWS account. You can do this by using the
get-rest-apiscommand in AWS CLI. The command is as follows:aws apigateway get-rest-apis --region your-regionReplace ‘your-region’ with the region of your AWS account. This command will return a list of all the API Gateways in your account.
-
Get the details of each API Gateway: For each API Gateway returned in the previous step, you need to get its details. You can do this by using the
get-rest-apicommand in AWS CLI. The command is as follows:aws apigateway get-rest-api --rest-api-id your-rest-api-id --region your-regionReplace ‘your-rest-api-id’ with the ID of the API Gateway and ‘your-region’ with the region of your AWS account. This command will return the details of the API Gateway.
-
Check if the API Gateway is integrated with WAF: In the details of the API Gateway returned in the previous step, look for the ‘webAclArn’ field. If this field is present and not empty, it means that the API Gateway is integrated with WAF.
-
Automate the process: You can automate the above steps by writing a script in Python using the Boto3 library. The script will use the
get_rest_apisandget_rest_apimethods of theboto3.client('apigateway')object to get the list of API Gateways and their details respectively. It will then check if the ‘webAclArn’ field is present and not empty for each API Gateway.
- Install the necessary Python libraries: Before you start, make sure you have the AWS SDK for Python (Boto3) installed, which allows you to write software that makes use of services like Amazon S3, Amazon EC2, etc.
pip install boto3
- Establish a session: You need to establish a session using your AWS credentials.
import boto3
session = boto3.Session(
aws_access_key_id='YOUR_ACCESS_KEY',
aws_secret_access_key='YOUR_SECRET_KEY',
aws_session_token='SESSION_TOKEN',
)
- List all API Gateways: Use the
get_rest_apisfunction to retrieve all the API Gateways.
client = session.client('apigateway')
response = client.get_rest_apis()
- Check if WAF is integrated: For each API Gateway, check if it is integrated with WAF. You can do this by calling the
get_web_acl_for_resourcefunction from the WAF Regional client. If the API Gateway is not integrated with WAF, the function will throw an exception.
waf_client = session.client('waf-regional')
for api in response['items']:
try:
waf_response = waf_client.get_web_acl_for_resource(
ResourceArn=api['id']
)
print(f"API Gateway {api['name']} is integrated with WAF")
except Exception as e:
print(f"API Gateway {api['name']} is not integrated with WAF")
This script will print out the names of all API Gateways and whether they are integrated with WAF. If an API Gateway is not integrated with WAF, it may be a misconfiguration.