Using Amazon WAF to protect your APIs - Amazon API Gateway
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Using Amazon WAF to protect your APIs

Amazon WAF is a web application firewall that helps protect web applications and APIs from attacks. It enables you to configure a set of rules (called a web access control list (web ACL)) that allow, block, or count web requests based on customizable web security rules and conditions that you define. For more information, see How Amazon WAF Works.

You can use Amazon WAF to protect your API Gateway API from common web exploits, such as SQL injection and cross-site scripting (XSS) attacks. These could affect API availability and performance, compromise security, or consume excessive resources. For example, you can create rules to allow or block requests from specified IP address ranges, requests from CIDR blocks, requests that originate from a specific country or region, requests that contain malicious SQL code, or requests that contain malicious script.

You can also create rules that match a specified string or a regular expression pattern in HTTP headers, method, query string, URI, and the request body (limited to the first 8 KB). Additionally, you can create rules to block attacks from specific user agents, bad bots, and content scrapers. For example, you can use rate-based rules to specify the number of web requests that are allowed by each client IP in a trailing, continuously updated, 5-minute period.

Important

Amazon WAF is your first line of defense against web exploits. When Amazon WAF is enabled on an API, Amazon WAF rules are evaluated before other access control features, such as resource policies, IAM policies, Lambda authorizers, and Amazon Cognito authorizers. For example, if Amazon WAF blocks access from a CIDR block that a resource policy allows, Amazon WAF takes precedence and the resource policy isn't evaluated.

To enable Amazon WAF for your API, you need to do the following:

  1. Use the Amazon WAF console, Amazon SDK, or CLI to create a Regional web ACL that contains the desired combination of Amazon WAF managed rules and your own custom rules. For more information, see Getting Started with Amazon WAF and Creating and Configuring a Web Access Control List (Web ACL).

    Important

    API Gateway requires a Regional web ACL.

  2. Associate the Amazon WAF Regional web ACL with an API stage. You can do this by using the Amazon WAF console, Amazon SDK, or CLI or by using the API Gateway console, Amazon SDK, or CLI.

To associate an Amazon WAF regional Web ACL with an API Gateway API stage using the API Gateway console

To use the API Gateway console to associate an Amazon WAF Regional web ACL with an existing API Gateway API stage, use the following steps:

  1. Sign in to the API Gateway console at https://console.amazonaws.cn/apigateway.

  2. In the APIs navigation pane, choose the API, and then choose Stages.

  3. In the Stages pane, choose the name of the stage.

  4. In the Stage Editor pane, choose the Settings tab.

  5. To associate a Regional web ACL with the API stage:

    1. In the Amazon WAF web ACL dropdown list, choose the Regional web ACL that you want to associate with this stage.

      Note

      If the web ACL you need doesn't exist yet, choose Create WebACL. Then choose Go to Amazon WAFto open the Amazon WAF console in a new browser tab and create a Regional web ACL. Then return to the API Gateway console to associate the web ACL with the stage.

  6. Choose Save Changes.

Associate an Amazon WAF regional Web ACL with an API Gateway API stage using the Amazon CLI

To use the Amazon CLI to associate an Amazon WAF Regional web ACL with an existing API Gateway API stage, call the associate-web-acl command, as in the following example:

aws waf-regional associate-web-acl \ --web-acl-id 'aabc123a-fb4f-4fc6-becb-2b00831cadcf' \ --resource-arn 'arn:aws:apigateway:{region}::/restapis/4wk1k4onj3/stages/prod'

Associate an Amazon WAF regional web ACL with an API stage using the Amazon WAF REST API

To use the Amazon WAF REST API to associate an Amazon WAF Regional web ACL with an existing API Gateway API stage, call the AssociateWebACL command, as in the following example:

import boto3 waf = boto3.client('waf-regional') waf.associate_web_acl( WebACLId='aabc123a-fb4f-4fc6-becb-2b00831cadcf', ResourceArn='arn:aws:apigateway:{region}::/restapis/4wk1k4onj3/stages/prod' )