Overview Pattern Construct Props Pattern Properties Default settings Architecture Github

aws-wafwebacl-apigateway

Reference Documentation:

https://docs.aws.amazon.com/solutions/latest/constructs/

Language	Package
Python	`aws_solutions_constructs.aws_wafwebacl_apigateway`
Typescript	`@aws-solutions-constructs/aws-wafwebacl-apigateway`
Java	`software.amazon.awsconstructs.services.wafwebaclapigateway`

Overview

This AWS Solutions Construct implements an AWS WAF web ACL connected to Amazon API Gateway REST API.

Here is a minimal deployable pattern definition:

Typescript


import { Construct } from 'constructs';
import { Stack, StackProps } from 'aws-cdk-lib';
import * as lambda from "aws-cdk-lib/aws-lambda";
import { ApiGatewayToLambda } from '@aws-solutions-constructs/aws-apigateway-lambda';
import { WafwebaclToApiGatewayProps, WafwebaclToApiGateway } from "@aws-solutions-constructs/aws-wafwebacl-apigateway";

const apiGatewayToLambda = new ApiGatewayToLambda(this, 'ApiGatewayToLambdaPattern', {
  lambdaFunctionProps: {
    runtime: lambda.Runtime.NODEJS_20_X,
    handler: 'index.handler',
    code: lambda.Code.fromAsset(`lambda`)
  }
});

// This construct can only be attached to a configured API Gateway.
new WafwebaclToApiGateway(this, 'test-wafwebacl-apigateway', {
  existingApiGatewayInterface: apiGatewayToLambda.apiGateway
});

Python


from aws_solutions_constructs.aws_apigateway_lambda import ApiGatewayToLambda
from aws_solutions_constructs.aws_wafwebacl_apigateway import WafwebaclToApiGatewayProps, WafwebaclToApiGateway
from aws_cdk import (
    aws_apigateway as api,
    aws_lambda as _lambda,
    Stack
)
from constructs import Construct

api_gateway_to_lambda = ApiGatewayToLambda(self, 'ApiGatewayToLambdaPattern',
                                    lambda_function_props=_lambda.FunctionProps(
                                        code=_lambda.Code.from_asset(
                                            'lambda'),
                                        runtime=_lambda.Runtime.PYTHON_3_11,
                                        handler='index.handler'
                                    )
                                    )

# This construct can only be attached to a configured API Gateway.
WafwebaclToApiGateway(self, 'test_wafwebacl_apigateway',
                    existing_api_gateway_interface=api_gateway_to_lambda.api_gateway
                    )

Java


import software.constructs.Construct;

import software.amazon.awscdk.Stack;
import software.amazon.awscdk.StackProps;
import software.amazon.awscdk.services.apigateway.*;
import software.amazon.awscdk.services.lambda.*;
import software.amazon.awscdk.services.lambda.Runtime;
import software.amazon.awsconstructs.services.apigatewaylambda.*;
import software.amazon.awsconstructs.services.wafwebaclapigateway.*;

final ApiGatewayToLambda apiGatewayToLambda = new ApiGatewayToLambda(this, "ApiGatewayToLambdaPattern",
        new ApiGatewayToLambdaProps.Builder()
                .lambdaFunctionProps(new FunctionProps.Builder()
                        .runtime(Runtime.NODEJS_20_X)
                        .code(Code.fromAsset("lambda"))
                        .handler("index.handler")
                        .build())
                .build());

// This construct can only be attached to a configured Application Load
// Balancer.
new WafwebaclToApiGateway(this, "test-wafwebacl-apigateway", new WafwebaclToApiGatewayProps.Builder()
        .existingApiGatewayInterface(apiGatewayToLambda.getApiGateway())
        .build());

Pattern Construct Props

Name	Type	Description
existingApiGatewayInterface	`api.IRestApi`	The existing API Gateway instance that will be protected with the WAF web ACL. Note that a WAF web ACL can only be added to a configured API Gateway, so this construct only accepts an existing IRestApi and does not accept apiGatewayProps.
existingWebaclObj?	`waf.CfnWebACL`	Existing instance of a WAF web ACL, an error will occur if this and props is set.
webaclProps?	`waf.CfnWebACLProps`	Optional user-provided props to override the default props for the AWS WAF web ACL. To use a different collection of managed rule sets, specify a new rules property. Use our wrapManagedRuleSet(managedGroupName: string, vendorName: string, priority: number) function from core to create an array entry from each desired managed rule set.

Pattern Properties

Name	Type	Description
webacl	`waf.CfnWebACL`	Returns an instance of the waf.CfnWebACL created by the construct.
apiGateway	`api.IRestApi`	Returns an instance of the API Gateway REST API created by the pattern.

Default settings

Out of the box implementation of the Construct without any override will set the following defaults:

AWS WAF

Deploy a WAF web ACL with 7 AWS managed rule groups.
- AWSManagedRulesBotControlRuleSet
- AWSManagedRulesKnownBadInputsRuleSet
- AWSManagedRulesCommonRuleSet
- AWSManagedRulesAnonymousIpList
- AWSManagedRulesAmazonIpReputationList
- AWSManagedRulesAdminProtectionRuleSet
- AWSManagedRulesSQLiRuleSet
  
  Note that the default rules can be replaced by specifying the rules property of CfnWebACLProps
Send metrics to Amazon CloudWatch

Amazon API Gateway

User provided API Gateway object is used as-is

Architecture

Diagram showing the WAF ACL, API Gateway api, CloudWatch log group and IAM role created by the construct

Github

Go to the Github repo for this pattern to view the code, read/create issues and pull requests and more.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

aws-wafwebacl-alb

aws-wafwebacl-appsync