01 - API Gateway Integrated with WAF

Integeration of Web Access Firewall (WAF) with API Gateway

AWS API Gateway allows for exposing direct, programmatic access to your application. A Web Application Firewall (WAF) is able to discern fraudulent interactions from legitimate traffic and take appropriate actions. The WAF stands between the public and the web application, it is able to decouple the traffic between the web server and the internet. This is why a WAF is considered an API security best practice and should be implemented whenever possible. By having a full inventory of all of your API endpoints in all regions as well as all accounts can help you stay compliant with the NIST framework.

Audit & Remediation

Login into your AWS account
Navigate to the EC2 service at: https://console.aws.amazon.com/apigateway
In the left navigation panel, select APIs to list all APIs.

Select the hyperlink of the API that you want to inspect.
In the left hand panel, select Stages, then in middle panel select the Version and finally under Settings verify the Web ACL setting.

If you have a setting of None, then select the Create Web ACL link.
You will now be directed to a new page, select the Create Web ACL button.
Fill out the WAF form with your desired settings. Be sure to select the same region your API is hosted in.

Now select the form to Add AWS resources.

Select Amazon API Gateway and select the checkbox next to your api and select Add.

Under Step 2, expand the AWS managed rule group and at least select Core rule set and the Known bad inputs rules.

Continue with the defaults to complete the WAF setup.
Continue the outlined process in all regions to ensure compliancy.

See all certificates in a single place!

Do you want to see all of your ACM certificates in once place for all regions and all accounts?
Login to our online demo to see exactly what this looks like.
demo.intelligentdiscovery.io

Other Key Features

Inventory

Consolidate your inventory management with consistent and frequent security logs, inventories, and change logs. Dashboard reporting for extensive analytical value.

learn more +

Cost & Usage

Access consolidated capacity, cost, and volume tools in a scaling environment without impacting production or breaking the bank.