Description:

A web ACL (Web Access Control List) is the core resource in an AWS WAF deployment. It contains rules that are evaluated for each request that it receives. A web ACL is associated with your web application via either an Amazon CloudFront distribution, AWS API Gateway API, or an AWS Application Load Balancer.

Rationale:

AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It enables you to configure a set of rules (called a web access control list (web ACL)) that allow, block, or count web requests based on customizable web security rules and conditions that you define.

Impact:

You can use AWS WAF to protect your API Gateway API from common web exploits, such as SQL injection and cross-site scripting (XSS) attacks. These could affect API availability and performance, compromise security, or consume excessive resources.

Default Value:

By default, the API gateway is not associated with the WAF Web ACL.


Pre-Requisite: 

  1. Sign in as admin or IAM user with required permissions

  2. Before following the implementation steps you must have REST APIs.

  3. Should already exist a Web ACL.


Remediation:

Test Plan:

  1. Sign in to the AWS Management Console.

  2. Navigate to the API Gateway Management Console

  3. Select the API you want to examine

  4. Click on stages in the left navigation pane
     

  5. Select on the stage in the API.
     

  6. Observe whether there is any web ACLs attached or not.


  7. If no web ACL is listed it means API is not attached with WAF ACL, follow the implementation steps.


Using AWS CLI:

This command will describe the API gateway stages

aws apigateway get-stages
    --region <region>
    --rest-api-id <rest api id value>
    --query 'item[?(stageName==`stage name`)].webAcl'


Implementation Steps:

  1. Sign in to the console at https://console.aws.amazon.com

  2. Go to WAF & Shield service

  3. Select Web ACLs in the left navigation pane


  4. Choose the Web ACL to attach the API gateway and then go to the Associated AWS resources tab.

  5. Click on the Add AWS resources button.

  6. Choose the resource type as Amazon API Gateway and select the name of the APIs that you want to attach to Web ACL.

  7. Click on the Add button to save the changes or to attach the API gateway to the Web ACL.


Using AWS CLI:

By using this command you can attach Web ACL to API gateway

associate-web-acl
--web-acl-id <web_acl_id>
--resource-arn <arn:aws:apigateway:region ::/restapis/api-id /stages/stage-name>

Backout Plan:

  1. Navigate to the API Gateway Management Console and identify your existing RESTful API Gateways. 

  2. Navigate to the Web ACLs section of the WAF & Shield Dashboard and identify existing web ACLs.

  3. Select the Web ACL and then click on the AWS Associated resources tab in the top menu.

  4. Select the API to disassociate and click on the disassociate button in the left top.

  5. Acknowledge by entering remove and click on Disassociate

Note:

On some occasions, AWS WAF might encounter an internal error that delays the response to associated AWS resources about whether to allow or block a request. On those occasions, CloudFront typically allows the requestor serves the content, while the Regional services typically deny the request and don't serve the content.


Resources:

  1.    https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/ 
  2.     https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-api-migration.html