AWS API Gateway and WAF: A Powerful Duo for Securing APIs

Listen to this Post

Hosting an API on AWS can be streamlined using API Gateway, a serverless solution that eliminates infrastructure management while offering scalability. Pairing it with AWS WAF (Web Application Firewall) enhances security by blocking common exploits like SQL injection and cross-site scripting (XSS).

You Should Know:

1. Setting Up API Gateway

Deploy a basic REST API with AWS CLI:

aws apigateway create-rest-api --name 'SecureAPI' --description 'API protected with WAF'

Create a resource and method (e.g., GET):

aws apigateway create-resource --rest-api-id YOUR_API_ID --parent-id ROOT_ID --path-part 'test'
aws apigateway put-method --rest-api-id YOUR_API_ID --resource-id RESOURCE_ID --http-method GET --authorization-type NONE

2. Integrating AWS WAF

Create a Web ACL to filter malicious traffic:

aws wafv2 create-web-acl \
--name APIGatewayProtection \
--scope REGIONAL \
--default-action Allow={} \
--visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=APIGatewayWAF

Key Rules to Add:

  • SQL Injection Rule:
    aws wafv2 create-rule-group --name BlockSQLi --scope REGIONAL --capacity 100 --rules 'Name=SQLiRule,Priority=1,Action=Block,Statement={SqliMatchStatement={FieldToMatch={Body={}},TextTransformations=[{Priority=0,Type=NONE}]}},VisibilityConfig={SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=SQLiRule}'
    
  • XSS Protection Rule:
    aws wafv2 create-rule-group --name BlockXSS --scope REGIONAL --capacity 100 --rules 'Name=XSSRule,Priority=2,Action=Block,Statement={XssMatchStatement={FieldToMatch={Body={}},TextTransformations=[{Priority=0,Type=NONE}]}},VisibilityConfig={SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=XSSRule}'
    

3. Attach WAF to API Gateway

Associate the Web ACL with your API Gateway:

aws wafv2 associate-web-acl \
--web-acl-arn YOUR_WAF_ARN \
--resource-arn YOUR_API_ARN

4. Monitor & Log Traffic

Enable CloudWatch Logs for WAF:

aws wafv2 put-logging-configuration \
--logging-configuration 'ResourceArn=YOUR_WAF_ARN,LogDestinationConfigs=[LOG_GROUP_ARN],RedactedFields=[{Method={}}]'

What Undercode Say

Combining API Gateway and WAF is a robust approach for securing APIs on AWS. Always:
– Use rate limiting (aws wafv2 create-rate-based-rule) to prevent DDoS.
– Regularly update WAF rules via AWS CLI (aws wafv2 update-web-acl).
– Test security with tools like OWASP ZAP:

docker run -t owasp/zap2docker-stable zap-baseline.py -t https://your-api-url

– Automate deployments with Terraform or AWS CDK for IaC consistency.

For deeper protection, explore AWS Shield for DDoS mitigation and Lambda Authorizers for JWT validation.

Expected Output:

A scalable, secure API shielded from OWASP Top 10 threats, logged and monitored in CloudWatch.

Reference: AWS API Gateway and WAF Guide

References:

Reported By: Darryl Ruggles – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image