API Gateway Integrated With AWS WAF

01 Sign in to AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to open the APIs listing page.

04 Choose the API that you want to examine then click on its name (link) to access the API details and configuration.

05 In the navigation panel, within the API submenu, click Stages to list the stages created for the selected API.

06 Under Stages, select the API stage that you want to examine.

07 Select Settings tab from the dashboard top panel.

08 On the Settings panel, in the Web Application Firewall (WAF) section, check the Web ACL dropdown list. If there is no Web ACL available within the Web ACL dropdown list, the selected Amazon API Gateway API stage is not currently associated with an AWS WAF Web ACL to protect the API against common web exploits.

09 Repeat steps no. 6 – 8 to verify the AWS WAF – API Gateway integration for other API stages created for the selected API.

10 Repeat steps no. 4 – 8 to verify other Amazon API Gateway APIs available in the current region.

11 Change the AWS region from the navigation bar and repeat the audit process for other regions.

01 Run get-rest-apis command (OSX/Linux/UNIX) using custom query filters to list the IDs of the APIs available in the selected AWS region:

aws apigateway get-rest-apis
    --region us-east-1
    --output table
    --query 'items[*].id'

02 The command output should return a table with the requested API IDs:

----------------
|  GetRestApis |
+--------------+
|  abcabcdabc  |
|  aabbccaabb  |
|  abcdabcdab  |
+--------------+

03 Run get-stages command (OSX/Linux/UNIX) using the ID of the API that you want to examine as identifier and custom query filters to get the name(s) of the API stage(s) created for the selected API:

aws apigateway get-stages
    --region us-east-1
    --rest-api-id abcabcdabc
    --output table
    --query 'item[*].stageName'

04 The command output should return a table with the API stage name(s):

----------------
|   GetStages  |
+--------------+
|  Production  |
|  Staging     |
|  Development |
+--------------+

05 Execute again get-stages command (OSX/Linux/UNIX) using the name of the API stage that you want to examine as identifier, e.g. "Production", and custom query filters to get the ARN of the AWS WAF Web ACL associated with the selected API Gateway API stage:

aws apigateway get-stages
    --region us-east-1
    --rest-api-id abcabcdabc
    --query 'item[?(stageName==`Production`)].webAclArn'

06 The command output should return the requested configuration information:

[]

07 Repeat step no. 5 and 6 to check the AWS WAF – API Gateway integration for other API stages created for the selected API.

08 Repeat steps no. 3 – 7 to verify other AWS API Gateway APIs available in the selected region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the audit process for other regions.

01 Sign in to AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs.

04 Choose the API that you want to reconfigure, then click on its name to access the API configuration.

05 In the navigation panel, within the API submenu, click Stages to list the stages created for the selected API.

06 Under Stages, select the API stage that you want to reconfigure in order to enable API Gateway - Amazon WAF integration (see Audit section part I to identify the right stage).

07 Select Settings tab from the dashboard top panel.

08 In the Web Application Firewall (WAF) section, click the Create Web ACL link next to the Web ACL dropdown list and follow the steps outlined in this conformity rule to create your own Amazon WAF Web Access Control List (Web ACL).

09 Once your WAF Web ACL is created, return to the Amazon API Gateway console, select the name of the new ACL from the Web ACL list and click Save Changes to associate your Web ACL with the selected API stage.

10 If required, repeat steps no. 6 – 9 to attach your newly created Web ACL to other API stages available for the selected API.

11 Repeat steps no. 4 – 10 to reconfigure other Amazon API Gateway APIs available within the selected region.

12 Change the AWS region from the navigation bar and repeat the entire process for other regions.

01 Create your own Amazon WAF Web Access Control List (Web ACL) by following the simple step-by-step instructions outlined in this conformity rule.

02 Run associate-web-acl command (OSX/Linux/UNIX) using the ID of the AWS WAF Web ACL created at the previous step (e.g. "aabbccdd-abcd-abcd-abcd-aabbccddaabb") and the ARN of the API Gateway API stage that you want to reconfigure (e.g. "arn:aws:apigateway:us-east-1::/restapis/abcabcdabc/stages/Production") as command parameters to associate your newly created Web ACL with the selected Amazon API Gateway API stage for protection against common web attacks. The ARN of the API stage is constructed using the following format: arn:aws:apigateway:<aws-region>::/restapis/<api-id>/stages/<api-stage>. The associate-web-acl command request does not produce an output:

aws waf-regional associate-web-acl
    --region us-east-1
    --web-acl-id 'aabbccdd-abcd-abcd-abcd-aabbccddaabb'
    --resource-arn 'arn:aws:apigateway:us-east-1::/restapis/abcabcdabc/stages/Production'

03 If required, repeat step no. 2 to attach your newly created Web ACL to other API stages available for the selected API.

04 Repeat step no. 2 and 3 to reconfigure other Amazon API Gateway APIs available in the selected region.

05 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.