Protecting API Gateways with WAF Rules

Attaching a WAF Rule to a RESTful API 
The Amazon API Gateway service is used to create, publish, maintain, monitoring, and secure REST, HTTP, and WebSocket APIs. In this demo, we’ll walk through how to attach a WAF rule to a RESTful API. In this demo, AWS expert Mike Wise will teach you how to identify your existing API Gateways, if an API Gateway is attached to a WAF rule, and how to attach an API Gateway to a web ACL.

  1. Navigate to the API Gateway Management Console and identify your existing RESTful API Gateways. 
  2. Navigate to the Web ACLs section of the WAF & Shield Dashboard and identify existing web ACLs. 
  3. Check to see if your web ACLs have associated AWS resources that match your API Gateways. If they do not have any associated AWS resources, this means your API Gateways are not currently protected by web ACLs. 
  4. You can attach a web ACL to an API Gateway in this Associated AWS Resources tab. Select Add AWS Resources and your existing API Gateways should populate so that you can choose the appropriate one. 

For a visual guide to attaching WAF rules to API Gateways, watch the full demo.

Hello everyone! Today, we’re going to talk about the Amazon API Gateways and protecting those them with WAF rules. To start out, we’ll just go over what an Amazon API Gateway is. An Amazon API Gateway is an AWS service for creating, publishing, maintaining, monitoring, and securing REST, HTTP, and WebSocket APIs at any scale. With that being the case, if you have a RESTful API, you can attach an AWS WAF rule to it to protect that RESTful API. 

What we’re going to go look at is how you can identify what API Gateways you have and if the API Gateway is attached to an AWS WAF rule. Let’s start off with the first part which is identifying what Amazon API Gateways you have. Let’s search for “API” and click on that. This will take you to the API Management Console. As you can see, we have a RESTful API created called “PetStore.” That’s the only API we have created. Now, what we need to do is go and identify if this PetStore API is attached to a specific WAF rule. Let’s go to “WAF” and we’re going to click on “Web ACLs.” We see here that we have two different web ACLs created. We need to check each one to see if either of web ACLs are attached to the API Gateway. Let’s go take a look. We’re going to go look at “Associated AWS Resources.” We can see that this web ACL has no associated resources. We’ll go look at this one and we can see that while this web ACL does have an associated resource, it’s not an API Gateway and it’s not named the same thing as our API Gateway. That means that our API Gateway is not currently protected by WAF ACL rules. 

What we’re going to do in this video is we’re going to attach the API Gateway to one of the web ACLs. So, let’s go ahead and click into “demo-web-acl” and we’re going to go back to “Associated AWS Resources.” We’re going to click on “Add AWS Resource.” We’re going to select “Amazon API Gateway.” As we can see, our PetStore API is already there and populated. Let’s select that, then click “Add.” Now we can see that the web ACL that was created is now attached to the API Gateway named “PetStore” that we saw on the API Gateway Management Console. Now that web ACL is protecting the PetStore API Gateway. 

In conclusion, we need to make sure that we’re doing an inventory of not only the resources, but also the ACL rules to make sure that if we have ACL rules that we want to protect specific resources, that those rules are associated with a specific API Gateway. Because if they’re not associated with API Gateways, those rules are not protecting those API Gateways. Thank you for coming to this demo and have a great day! 

Related Videos