Profile Applicability:

  • Level 1

Description:

This control ensures that each Amazon API Gateway Stage has an AWS Web Application Firewall (WAF) Web Access Control List (ACL) attached. Attaching a WAF Web ACL to an API Gateway stage helps protect APIs against common web exploits such as SQL injection, cross-site scripting (XSS), DDoS attacks, and other Layer 7 threats. This adds a strong layer of defense and visibility to API endpoints exposed to the public or external networks.

Rationale:

API endpoints are frequent targets for attackers attempting to exploit application vulnerabilities or perform automated attacks. Attaching a WAF Web ACL to an API Gateway Stage allows inspection of incoming requests and filtering of malicious traffic before it reaches the backend. This ensures compliance with CIS, SOC 2, ISO 27001, PCI DSS, and OWASP API Security Top 10 recommendations.

Impact:

  • Positive Impact:Provides real-time protection against common web application threats.Enhances monitoring and logging capabilities for API security.Helps ensure compliance with security and regulatory frameworks.

  • Negative Impact:May introduce minimal latency due to traffic inspection.Requires maintenance of WAF rules and associated costs.


Default Value:

By default, API Gateway stages do not have a WAF Web ACL attached. It must be explicitly configured through AWS WAF or the API Gateway console.


Pre-Requisite:

  • IAM permissions required:
    wafv2:ListWebACLswafv2:AssociateWebACLapigateway:GETapigateway:PATCH.

    • A preconfigured WAF Web ACL in AWS WAF (Regional) matching your API’s region.

  • The API Gateway stage must be deployed before associating a Web ACL.


Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS WAF → Web ACLs.

  3. Review existing Web ACLs and ensure one is configured for the same region as the API Gateway.

  4. Navigate to Amazon API Gateway → APIs → [Your API] → Stages.

  5. Select the stage (e.g., proddev, or v1).

  6. Check under WAF Web ACL section:

    • Ensure a Web ACL ARN is attached to the API stage.

  7. If no Web ACL is attached, the API stage is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon CloudFront → Distributions.

  3. Select the target distribution.

  4. Go to the Behaviors tab.

  5. Select the desired behavior and click Edit.

  6. Under Viewer protocol policy, choose one of the following:

    • Redirect HTTP to HTTPS – Automatically redirects all HTTP requests to HTTPS.

    • HTTPS only – Blocks all HTTP requests, serving content only over HTTPS. 

  7. In the SSL certificate section:

    • Select Custom SSL certificate (example.com) if using a domain-specific certificate from ACM.

    • Ensure Minimum Origin SSL Protocol is set to TLSv1.2 or higher.

  8. Click Save changes.

  9. Allow several minutes for CloudFront to propagate configuration updates globally.

Backout Plan:

Using AWS Console:

  1. If applications or APIs experience connectivity issues due to HTTPS enforcement:

    • Temporarily switch back to HTTP and HTTPS in the Viewer protocol policy to restore access.

  2. Troubleshoot client configurations and certificate trust issues.

  3. Reapply HTTPS enforcement once compatibility is verified.

References:

  • Amazon CloudFront Using HTTPS Documentation

  • AWS Certificate Manager Documentation

  • AWS Security Best Practices Whitepaper