Protect your single region API gateway using AWS WAF
Protect your single region API gateway using AWS WAF.
You can do it from scratch and it will work fine, but what if you’re lazy!?
AWS describes how to do it here, Use AWS WAF to Protect Your Amazon API Gateway API from Common Web Exploits, but firewalls aren’t my specialty (I hope I’m not encouraging someone to start testing my network…). So I’d rather start with what AWS recommends at AWS WAF Security Automations » Automated Deployment and then customize them to my needs or add new rules as required.
I launched the cloudformation template from the above page using the recommended settings, but realized that I couldn’t attach it to the API Gateway — the issue? Launching the template and building the stack with Endpoint Type: CloudFront builds it at the Global level, not in a specific region. Thus if your API Gateway is in a specific region, you can’t use it! Try it with Endpoint Type: ALB and be sure to select the correct region in the top right (the link defaults to us-east-1) you should be able to attach it to your API Gateway that’s in the same region.
To actually attach it to API Gateway, in the AWS console navigate API Gateways, find the API Gateway you want to protect, click on stages, select the stage you want to protect, and then select the ACL you set up in the same region!