More Info:

This rule verifies whether AWS AppSync resources are associated with AWS WAF (Web Application Firewall) to protect against common web exploits and security vulnerabilities. Associating AppSync with WAF allows for the enforcement of custom access control rules and provides an additional layer of security against malicious traffic

Risk Level

High

Address

Security

Compliance Standards

CBP

Triage and Remediation

Check Cause

Using Console

  1. Sign in to the AWS Management Console.
  2. Navigate to the AWS AppSync service. You can find this by typing ‘AppSync’ into the search bar at the top of the console.
  3. Once in the AppSync dashboard, select the API that you want to check for WAF association.
  4. In the settings or details of the selected API, look for a section or field related to AWS WAF. If the API is associated with a WAF, it should be listed here. If there is no such section or the field is empty, then the API is not associated with a WAF.
  1. First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the resources.
  2. Once the AWS CLI is set up, you can list all the AppSync APIs in your account by running the following command: 
    aws appsync list-graphql-apis --region your-region
    Replace ‘your-region’ with the region where your resources are located. This command will return a list of all the AppSync APIs in the specified region.
  3. For each AppSync API, you can check if it is associated with a Web Application Firewall (WAF) by running the following command: 
    aws wafv2 list-web-acls --scope REGIONAL --region your-region
    This command will list all the Web ACLs in the specified region. You need to check if the ARN of your AppSync API is present in the list.
  4. If the ARN of your AppSync API is not present in the list, it means that the API is not associated with a WAF. You can use a Python script to automate this process. The script will iterate over all the AppSync APIs and check if they are associated with a WAF. If an API is not associated with a WAF, the script will print a message indicating the misconfiguration.
To check if AppSync is associated with WAF in AWS using Python scripts, you can use the AWS SDK for Python (Boto3). Here are the steps:
  1. Setup AWS SDK for Python (Boto3): First, you need to set up Boto3 on your machine. You can install it using pip: 
    pip install boto3
    Then, configure your AWS credentials. You can do this by creating the files ~/.aws/credentials and ~/.aws/config: 
    ~/.aws/credentials:
[default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY

~/.aws/config:
[default]
region=us-east-1
  2. Create a Python script to list all AppSync APIs: Use the list_graphql_apis method to get all the AppSync APIs. Here is a sample script: 
    import boto3

client = boto3.client('appsync')

response = client.list_graphql_apis()

for api in response['graphqlApis']:
    print(api['name'], api['apiId'])
    This script will print the name and ID of all your AppSync APIs.
  3. Create a Python script to get the WAF web ACL for each AppSync API: Use the get_web_acl_for_resource method to get the WAF web ACL for each AppSync API. Here is a sample script: 
    import boto3

client = boto3.client('wafv2')

response = client.get_web_acl_for_resource(
    ResourceArn='arn:aws:appsync:us-east-1:123456789012:apis/YourApiId'
)

print(response['WebACL'])
    Replace ‘YourApiId’ with the ID of your AppSync API. This script will print the WAF web ACL for the specified AppSync API.
  4. Check if the WAF web ACL is associated with the AppSync API: If the get_web_acl_for_resource method returns a web ACL, then the AppSync API is associated with WAF. If it returns an error or an empty result, then the AppSync API is not associated with WAF. You can add this check to your script: 
    if 'WebACL' in response:
    print('AppSync API is associated with WAF')
else:
    print('AppSync API is not associated with WAF')
    This script will print whether the specified AppSync API is associated with WAF or not.