AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
AppSync Should Be Associated With WAF
More Info:
This rule verifies whether AWS AppSync resources are associated with AWS WAF (Web Application Firewall) to protect against common web exploits and security vulnerabilities. Associating AppSync with WAF allows for the enforcement of custom access control rules and provides an additional layer of security against malicious traffic
Risk Level
High
Address
Security
Compliance Standards
CBP
Triage and Remediation
Check Cause
- Sign in to the AWS Management Console.
- Navigate to the AWS AppSync service. You can find this by typing ‘AppSync’ into the search bar at the top of the console.
- Once in the AppSync dashboard, select the API that you want to check for WAF association.
- In the settings or details of the selected API, look for a section or field related to AWS WAF. If the API is associated with a WAF, it should be listed here. If there is no such section or the field is empty, then the API is not associated with a WAF.
-
First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the resources.
-
Once the AWS CLI is set up, you can list all the AppSync APIs in your account by running the following command:
aws appsync list-graphql-apis --region your-regionReplace ‘your-region’ with the region where your resources are located. This command will return a list of all the AppSync APIs in the specified region.
-
For each AppSync API, you can check if it is associated with a Web Application Firewall (WAF) by running the following command:
aws wafv2 list-web-acls --scope REGIONAL --region your-regionThis command will list all the Web ACLs in the specified region. You need to check if the ARN of your AppSync API is present in the list.
-
If the ARN of your AppSync API is not present in the list, it means that the API is not associated with a WAF. You can use a Python script to automate this process. The script will iterate over all the AppSync APIs and check if they are associated with a WAF. If an API is not associated with a WAF, the script will print a message indicating the misconfiguration.
To check if AppSync is associated with WAF in AWS using Python scripts, you can use the AWS SDK for Python (Boto3). Here are the steps:
-
Setup AWS SDK for Python (Boto3): First, you need to set up Boto3 on your machine. You can install it using pip:
pip install boto3Then, configure your AWS credentials. You can do this by creating the files ~/.aws/credentials and ~/.aws/config:
~/.aws/credentials: [default] aws_access_key_id = YOUR_ACCESS_KEY aws_secret_access_key = YOUR_SECRET_KEY ~/.aws/config: [default] region=us-east-1 -
Create a Python script to list all AppSync APIs: Use the
list_graphql_apismethod to get all the AppSync APIs. Here is a sample script:import boto3 client = boto3.client('appsync') response = client.list_graphql_apis() for api in response['graphqlApis']: print(api['name'], api['apiId'])This script will print the name and ID of all your AppSync APIs.
-
Create a Python script to get the WAF web ACL for each AppSync API: Use the
get_web_acl_for_resourcemethod to get the WAF web ACL for each AppSync API. Here is a sample script:import boto3 client = boto3.client('wafv2') response = client.get_web_acl_for_resource( ResourceArn='arn:aws:appsync:us-east-1:123456789012:apis/YourApiId' ) print(response['WebACL'])Replace ‘YourApiId’ with the ID of your AppSync API. This script will print the WAF web ACL for the specified AppSync API.
-
Check if the WAF web ACL is associated with the AppSync API: If the
get_web_acl_for_resourcemethod returns a web ACL, then the AppSync API is associated with WAF. If it returns an error or an empty result, then the AppSync API is not associated with WAF. You can add this check to your script:if 'WebACL' in response: print('AppSync API is associated with WAF') else: print('AppSync API is not associated with WAF')This script will print whether the specified AppSync API is associated with WAF or not.