A web ACL (Web Access Control List) is the core resource in an AWS WAF deployment. It contains rules that are evaluated for each request that it receives. A web ACL is associated with your web application via either an Amazon CloudFront distribution, AWS API Gateway API, or an AWS Application Load Balancer.
AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It enables you to configure a set of rules (called a web access control list (web ACL)) that allow, block, or count web requests based on customizable web security rules and conditions that you define.
You can use AWS WAF to protect your API Gateway API from common web exploits, such as SQL injection and cross-site scripting (XSS) attacks. These could affect API availability and performance, compromise security, or consume excessive resources.
By default, the API gateway is not associated with the WAF Web ACL.
Using AWS CLI:
This command will describe the API gateway stages
aws apigateway get-stages
--rest-api-id <rest api id value>
--query 'item[?(stageName==`stage name`)].webAcl'
Using AWS CLI:
By using this command you can attach Web ACL to API gateway
--resource-arn <arn:aws:apigateway:region ::/restapis/api-id /stages/stage-name>
On some occasions, AWS WAF might encounter an internal error that delays the response to associated AWS resources about whether to allow or block a request. On those occasions, CloudFront typically allows the requestor serves the content, while the Regional services typically deny the request and don't serve the content.