Skip to main content

πŸ›‘οΈ AWS API Gateway REST API Stage is not associated with a WAF Web ACL🟒

  • Contextual name: πŸ›‘οΈ REST API Stage is not associated with a WAF Web ACL🟒
  • ID: /ce/ca/aws/apigateway/rest-api-stage-waf-web-acl
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

  • Internal: dec-x-bfdadcc4

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-bfdadcc41

Description​

Open File

Description​

Associate AWS API Gateway REST API stages with a WAF Web ACL to provide enhanced security against web application threats. AWS WAF is a web application firewall designed to block, allow, or count web requests based on customizable rules and security conditions that you configure. Linking your API Gateway stages to an AWS WAF Web ACL helps safeguard APIs from common exploits such as SQL injection and cross-site scripting (XSS), and other malicious activity targeting your APIs.

Rationale​

Configuring AWS WAF Web ACLs for API Gateway stages improves security posture by implementing rule-based traffic filtering. This measure defends against automated attacks, unauthorized access, and other malicious web activities. It also enables security teams to monitor and audit traffic patterns, allowing proactive adjustments to security rules. Without a WAF Web ACL in place, APIs are vulnerable to various attack vectors that could lead to unauthorized access, data breaches, and service disruption.

Impact​

AWS WAF pricing includes charges for the number of Web ACLs created, the number of rules within those ACLs, and the volume of web requests inspected. It is essential to evaluate the anticipated traffic and associated costs to ensure alignment with your budget and usage expectations.

... see more

Remediation​

Open File

Remediation​

From Command Line​

Associate an AWS WAF Web ACL with an API Gateway API Stage​

Associate an AWS WAF Web ACL with an API Gateway stage by running the associate-web-acl command:

aws wafv2 associate-web-acl \
--web-acl-arn  {{web-acl-arn}} \
--resource-arn {{api-gateway-stage-arn}}

Replace {{web-acl-arn}} with the ARN of your Web ACL and {{api-gateway-stage-arn}} with the ARN of your API Gateway stage.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16a vulnerability and threat management;1010no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36g vulnerability management controls β€” which identify and address information security vulnerabilities in a timely manner;1010no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 39a implement mechanisms that access and analyse timely threat intelligence regarding vulnerabilities, threats, methods of attack and countermeasures;1010no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 39d implement mechanisms to disrupt the various phases of an attack. Example phases include reconnaissance, vulnerability exploitation, malware installation, privilege escalation, and unauthorised access1010no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [APIGateway.4] API Gateway should be associated with a WAF Web ACL11no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Threat Protection31no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1163no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)63no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3763no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3638no data