Using AWS WAF to protect your APIs
AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It enables you to configure a set of rules called a web access control list (web ACL) that allow, block, or count web requests based on customizable web security rules and conditions that you define. For more information, see How AWS WAF Works.
You can use AWS WAF to protect your API Gateway REST API from common web exploits, such as SQL injection and cross-site scripting (XSS) attacks. These could affect API availability and performance, compromise security, or consume excessive resources. For example, you can create rules to allow or block requests from specified IP address ranges, requests from CIDR blocks, requests that originate from a specific country or region, requests that contain malicious SQL code, or requests that contain malicious script.
You can also create rules that match a specified string or a regular expression pattern in HTTP headers, method, query string, URI, and the request body (limited to the first 8 KB). Additionally, you can create rules to block attacks from specific user agents, bad bots, and content scrapers. For example, you can use rate-based rules to specify the number of web requests that are allowed by each client IP in a trailing, continuously updated, 5-minute period.
Important
AWS WAF is your first line of defense against web exploits. When AWS WAF is enabled on an API, AWS WAF rules are evaluated before other access control features, such as resource policies, IAM policies, Lambda authorizers, and Amazon Cognito authorizers. For example, if AWS WAF blocks access from a CIDR block that a resource policy allows, AWS WAF takes precedence and the resource policy isn't evaluated.
To enable AWS WAF for your API, you need to do the following:
-
Use the AWS WAF console, AWS SDK, or CLI to create a Regional web ACL that contains the desired combination of AWS WAF managed rules and your own custom rules. For more information, see Getting Started with AWS WAF and Creating and Configuring a Web Access Control List (Web ACL).
Important
API Gateway requires a Regional web ACL.
-
Associate the AWS WAF Regional web ACL with an API stage. You can do this by using the AWS WAF console, AWS SDK, or CLI or by using the API Gateway console, AWS SDK, or CLI.
To associate an AWS WAF regional Web ACL with an API Gateway API stage using the API Gateway console
To use the API Gateway console to associate an AWS WAF Regional web ACL with an existing API Gateway API stage, use the following steps:
Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway
. -
In the APIs navigation pane, choose the API, and then choose Stages.
-
In the Stages pane, choose the name of the stage.
-
In the Stage Editor pane, choose the Settings tab.
-
To associate a Regional web ACL with the API stage:
-
In the AWS WAF web ACL dropdown list, choose the Regional web ACL that you want to associate with this stage.
Note
If the web ACL you need doesn't exist yet, choose Create WebACL. Then choose Go to AWS WAF to open the AWS WAF console in a new browser tab and create a Regional web ACL. Then return to the API Gateway console to associate the web ACL with the stage.
-
-
Choose Save Changes.
Associate an AWS WAF regional Web ACL with an API Gateway API stage using the AWS CLI
To use the AWS CLI to associate an AWS WAF Regional web ACL with an existing API Gateway API
stage, call the associate-web-acl command, as in the following
example:
aws waf-regional associate-web-acl \ --web-acl-id 'aabc123a-fb4f-4fc6-becb-2b00831cadcf' \ --resource-arn 'arn:aws:apigateway:{region}::/restapis/4wk1k4onj3/stages/prod'
Associate an AWS WAF regional web ACL with an API stage using the AWS WAF REST API
To use the AWS WAF REST API to associate an AWS WAF Regional web ACL with an existing
API Gateway API stage, call the AssociateWebACL command, as in the following
example:
import boto3 waf = boto3.client('waf-regional') waf.associate_web_acl( WebACLId='aabc123a-fb4f-4fc6-becb-2b00831cadcf', ResourceArn='arn:aws:apigateway:{region}::/restapis/4wk1k4onj3/stages/prod' )
