[APIGateway.4]
API Gateway should be associated with an AWS WAF web ACL
Description
All stages of an APIGateway REST API should be associated with an AWS Web Application Firewall (WAF) web Access Control List (ACL). WAF is a firewall that helps protect applications and APIs from attacks. ACL is a set of rules that allow, or block web requests based on rules that you can customize. To make this rule COMPLIANT, ensure that APIGateway stages are associated with an AWS WAF web ACL.
Details
| Property | Value |
|---|---|
| Category | Protect > Protective Services |
| Compliance Control ID | APIGateway.4 |
| FortifyFox ID | FF100061 |
| Link | APIGateway.4 Compliance |
| Resource Type(s) | AWS::ApiGateway::Deployment, AWS::WAFv2::WebACLAssociation |
| Severity | Medium |
Remediation
Use the following CloudFormation templates to deploy a REST API compliant with APIGateway.4
YAML Template
Resources:
restAPI:
Type: AWS::ApiGateway::Deployment
Properties:
RestApiId: !Ref YOUR_API_ID
StageName: restAPIStage
webACLAssociation:
Type: "AWS::WAFv2::WebACLAssociation"
Properties:
WebACLArn: ARN_WEBACL
ResourceArn: !Join
- /
- - arn:aws:apigateway:ap-southeast-2::/restapis
- !Ref restAPI
- stages
- restAPIStage
JSON Template
{
"Resources": {
"restAPI": {
"Type": "AWS::ApiGateway::Deployment",
"Properties": {
"RestApiId": {
"Ref": "YOUR_API_ID"
},
"StageName": "restAPIStage"
}
},
"webACLAssociation": {
"Type": "AWS::WAFv2::WebACLAssociation",
"Properties": {
"WebACLArn": "ARN_WEBACL",
"ResourceArn": {
"Fn::Join": [
"/",
[
"arn:aws:apigateway:ap-southeast-2::/restapis",
{
"Ref": "restAPI"
},
"stages",
"restAPIStage"
]
]
}
}
}
}
}
You will need to replace Your_API_ID with the ID of your RestAPI and ARN_WEBACL with the ARN of your WAF Web ACL.
📓 Notes
- You must have created a valid Web ACL with default action and scope defined.