API Gateway must be protected by AWS WAF Affecting WAF service in AWS

Severity Framework Snyk CCSS

Rule category Network / Firewall

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk ID SNYK-CC-00757
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Enabling AWS WAF on API Gateways mitigates the risk of common web exploits that could affect application availability, compromise security, or consume excessive resources. Without WAF, API Gateways are more vulnerable to attacks such as SQL injection and cross-site scripting (XSS).

How to fix?

Set the resource_arn of aws_wafv2_web_acl_association to aws_api_gateway_stage.arn and web_acl_arn to aws_wafv2_web_acl.arn.

Example Configuration

resource "aws_api_gateway_stage" "valid_example" {
  deployment_id = aws_api_gateway_deployment.valid_example.id
  rest_api_id   = aws_api_gateway_rest_api.valid_example.id
  stage_name    = "valid_example"
}

resource "aws_wafv2_web_acl" "valid_example" {
  name  = "web-acl-association-valid_example"
  scope = "REGIONAL"

  default_action {
    allow {}
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "friendly-metric-name"
    sampled_requests_enabled   = false
  }
}

resource "aws_wafv2_web_acl_association" "valid_example" {
  resource_arn = aws_api_gateway_stage.valid_example.arn
  web_acl_arn  = aws_wafv2_web_acl.valid_example.arn
}

Terraform

References

Working with stages for HTTP APIs