AWS Config Rule: API Gateway Associated With WAF

Description: Checks if an Amazon API Gateway API stage is using an AWS WAF Web ACL. This rule is NON_COMPLIANT if an AWS WAF Web ACL is not used or if a used AWS Web ACL does not match what is listed in the rule parameter.

Trigger type: Configuration changes

AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), AWS GovCloud (US-East), AWS GovCloud (US-West), Europe (Spain), Europe (Zurich) Region

This config rules checks if an API Gateway stage is using an AWS WAF Web ACL. The rule will be informed as non-compliant if an AWS WAF Web ACL is not configured for an API Gateway.

To resolve this you may face two possible scenarios, one of these cases is that you already have a Web ACL configured. In this scenario you need to go to WAF & Shield service and then head on to Web ACLs. Once there, choose the desired ACL, click on Associated AWS resources tab and finally click on Add AWS resources button. In the following screenshot you can see how to add the desired API Gateway stage, for this example we only have one API deployed:

Please, take into account that this config rule only evaluates REST APIs

The other possible scenario is that you don't have any Web ACL created. In this case, from the WAF & Shield service go to Web ACLs and click on Create web ACL button. Define a name for the ACL and under Resource type choose Regional resources. Within Associated AWS resources click on Add AWS resource. You'll be prompted to choose an API like in the previous screenshot. From there, follow the configuration wizard, define the desired settings and finally save to complete the process.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here