AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
API Gateway Should Be Integrated With WAF
More Info:
AWS Web Application Firewall (WAF) should be integrated with API Gateway to protect your APIs from common web exploits such as SQLi attacks, XSS attacks and Cross-Site Request Forgery (CSRF) attacks.
Risk Level
Low
Address
Security
Compliance Standards
HITRUST, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
Sure, here are the step by step instructions on how to remediate this misconfiguration:
-
Open the AWS Management Console and navigate to the Amazon API Gateway service.
-
Select the API Gateway that you want to integrate with WAF.
-
Click on the “Settings” tab in the left-hand menu.
-
Under the “Security” section, click on the “Edit” button next to “Web Application Firewall”.
-
In the “Configure WAF” window, select “Create a new WAF web ACL” or “Use existing WAF web ACL” depending on your preference.
-
If you select “Create a new WAF web ACL”, you will be prompted to create a new web ACL. Follow the steps to create a new web ACL and click “Create”.
-
If you select “Use existing WAF web ACL”, select the web ACL that you want to use from the dropdown list.
-
Click “Save” to save the changes.
-
Once the integration is complete, you can test it by sending requests to your API Gateway and verifying that the WAF is blocking any malicious requests.
That’s it! Your API Gateway is now integrated with WAF and is protected from common web attacks.
To remediate the misconfiguration “API Gateway Should Be Integrated With WAF” for AWS using AWS CLI, you can follow the below steps:
-
Create a WAF Web ACL:
aws wafv2 create-web-acl --name <WebACLName> --scope REGIONAL --default-action "Block={}" --description "<WebACLDescription>" --region <Region>
-
Create a WAFv2 rule group:
aws wafv2 create-rule-group --name <RuleGroupName> --scope REGIONAL --description "<RuleGroupDescription>" --region <Region>
-
Add rules to the WAFv2 rule group:
aws wafv2 create-web-acl --name <WebACLName> --scope REGIONAL --default-action "Block={}" --description "<WebACLDescription>" --region <Region>
-
Associate the WAFv2 rule group with the WAF Web ACL:
aws wafv2 associate-web-acl --web-acl-arn <WebACLARN> --resource-arn <APIGatewayARN> --region <Region>
-
Verify the integration:
aws wafv2 list-resources-for-web-acl --web-acl-arn <WebACLARN> --region <Region>
This command should return the ARN of the API Gateway that was integrated with the WAF.
By following these steps, you can remediate the misconfiguration “API Gateway Should Be Integrated With WAF” for AWS using AWS CLI.
To remediate the misconfiguration of API Gateway not being integrated with WAF in AWS using Python, you can follow these steps:
-
Import the necessary AWS SDKs and modules in your Python script. You will need to import the boto3 module to interact with AWS services.
-
Use the boto3 module to retrieve the ARN of the WAF web ACL that you want to associate with your API Gateway.
import boto3
# Create a WAF client
waf_client = boto3.client('waf')
# Retrieve the ARN of the WAF web ACL that you want to associate with your API Gateway
web_acl_arn = waf_client.get_web_acl(WebACLId='web_acl_id')['WebACL']['ARN']
- Use the boto3 module to update the API Gateway to associate it with the WAF web ACL.
# Create an API Gateway client
apigateway_client = boto3.client('apigateway')
# Update the API Gateway to associate it with the WAF web ACL
apigateway_client.update_security_configuration(
restApiId='rest_api_id',
patchOperations=[
{
'op': 'replace',
'path': '/wafWebAclArn',
'value': web_acl_arn
}
]
)
Note: Replace web_acl_id
with the ID of the WAF web ACL that you want to associate with your API Gateway, and replace rest_api_id
with the ID of your API Gateway.
- Run the Python script to remediate the misconfiguration of API Gateway not being integrated with WAF in AWS.
After following these steps, your API Gateway will be integrated with WAF, which will help protect your API from common web exploits and attacks.