> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# API Gateway Should Be Integrated With WAF

### More Info:

AWS Web Application Firewall (WAF) should be integrated with API Gateway to protect your APIs from common web exploits such as SQLi attacks, XSS attacks and Cross-Site Request Forgery (CSRF) attacks.

### Risk Level

Low

### Address

Security

### Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

### Triage and Remediation

<Tabs>
  <Tab title="Cause">
    ### Check Cause

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        1. Sign in to the AWS Management Console and open the Amazon API Gateway console at [https://console.aws.amazon.com/apigateway/](https://console.aws.amazon.com/apigateway/).

        2. In the navigation pane, choose the API Gateway that you want to inspect.

        3. In the API Gateway dashboard, select the APIs section. This will display a list of all your APIs.

        4. For each API, check the 'Stage' settings. If there is no Web Application Firewall (WAF) associated with the API, then the API Gateway is not integrated with WAF. This is a misconfiguration as it could potentially expose the API to various types of attacks.
      </Accordion>

      <Accordion title="Using CLI">
        1. **List all API Gateways:**
           First, you need to list all the API Gateways in your AWS account. You can do this by using the `get-rest-apis` command in AWS CLI. The command is as follows:
           ```
           aws apigateway get-rest-apis --region your-region
           ```
           Replace 'your-region' with the region of your AWS account. This command will return a list of all the API Gateways in your account.

        2. **Get the details of each API Gateway:**
           For each API Gateway returned in the previous step, you need to get its details. You can do this by using the `get-rest-api` command in AWS CLI. The command is as follows:
           ```
           aws apigateway get-rest-api --rest-api-id your-rest-api-id --region your-region
           ```
           Replace 'your-rest-api-id' with the ID of the API Gateway and 'your-region' with the region of your AWS account. This command will return the details of the API Gateway.

        3. **Check if the API Gateway is integrated with WAF:**
           In the details of the API Gateway returned in the previous step, look for the 'webAclArn' field. If this field is present and not empty, it means that the API Gateway is integrated with WAF.

        4. **Automate the process:**
           You can automate the above steps by writing a script in Python using the Boto3 library. The script will use the `get_rest_apis` and `get_rest_api` methods of the `boto3.client('apigateway')` object to get the list of API Gateways and their details respectively. It will then check if the 'webAclArn' field is present and not empty for each API Gateway.
      </Accordion>

      <Accordion title="Using Python">
        1. Install the necessary Python libraries: Before you start, make sure you have the AWS SDK for Python (Boto3) installed, which allows you to write software that makes use of services like Amazon S3, Amazon EC2, etc.

        ```python theme={null}
        pip install boto3
        ```

        2. Establish a session: You need to establish a session using your AWS credentials.

        ```python theme={null}
        import boto3

        session = boto3.Session(
            aws_access_key_id='YOUR_ACCESS_KEY',
            aws_secret_access_key='YOUR_SECRET_KEY',
            aws_session_token='SESSION_TOKEN',
        )
        ```

        3. List all API Gateways: Use the `get_rest_apis` function to retrieve all the API Gateways.

        ```python theme={null}
        client = session.client('apigateway')
        response = client.get_rest_apis()
        ```

        4. Check if WAF is integrated: For each API Gateway, check if it is integrated with WAF. You can do this by calling the `get_web_acl_for_resource` function from the WAF Regional client. If the API Gateway is not integrated with WAF, the function will throw an exception.

        ```python theme={null}
        waf_client = session.client('waf-regional')

        for api in response['items']:
            try:
                waf_response = waf_client.get_web_acl_for_resource(
                    ResourceArn=api['id']
                )
                print(f"API Gateway {api['name']} is integrated with WAF")
            except Exception as e:
                print(f"API Gateway {api['name']} is not integrated with WAF")
        ```

        This script will print out the names of all API Gateways and whether they are integrated with WAF. If an API Gateway is not integrated with WAF, it may be a misconfiguration.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Sure, here are the step by step instructions on how to remediate this misconfiguration:

        1. Open the AWS Management Console and navigate to the Amazon API Gateway service.

        2. Select the API Gateway that you want to integrate with WAF.

        3. Click on the "Settings" tab in the left-hand menu.

        4. Under the "Security" section, click on the "Edit" button next to "Web Application Firewall".

        5. In the "Configure WAF" window, select "Create a new WAF web ACL" or "Use existing WAF web ACL" depending on your preference.

        6. If you select "Create a new WAF web ACL", you will be prompted to create a new web ACL. Follow the steps to create a new web ACL and click "Create".

        7. If you select "Use existing WAF web ACL", select the web ACL that you want to use from the dropdown list.

        8. Click "Save" to save the changes.

        9. Once the integration is complete, you can test it by sending requests to your API Gateway and verifying that the WAF is blocking any malicious requests.

        That's it! Your API Gateway is now integrated with WAF and is protected from common web attacks.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration "API Gateway Should Be Integrated With WAF" for AWS using AWS CLI, you can follow the below steps:

        1. Create a WAF Web ACL:

           ```
           aws wafv2 create-web-acl --name <WebACLName> --scope REGIONAL --default-action "Block={}" --description "<WebACLDescription>" --region <Region>
           ```

        2. Create a WAFv2 rule group:

           ```
           aws wafv2 create-rule-group --name <RuleGroupName> --scope REGIONAL --description "<RuleGroupDescription>" --region <Region>
           ```

        3. Add rules to the WAFv2 rule group:

           ```
           aws wafv2 create-web-acl --name <WebACLName> --scope REGIONAL --default-action "Block={}" --description "<WebACLDescription>" --region <Region>
           ```

        4. Associate the WAFv2 rule group with the WAF Web ACL:

           ```
           aws wafv2 associate-web-acl --web-acl-arn <WebACLARN> --resource-arn <APIGatewayARN> --region <Region>
           ```

        5. Verify the integration:

           ```
           aws wafv2 list-resources-for-web-acl --web-acl-arn <WebACLARN> --region <Region>
           ```

           This command should return the ARN of the API Gateway that was integrated with the WAF.

        By following these steps, you can remediate the misconfiguration "API Gateway Should Be Integrated With WAF" for AWS using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration of API Gateway not being integrated with WAF in AWS using Python, you can follow these steps:

        1. Import the necessary AWS SDKs and modules in your Python script. You will need to import the boto3 module to interact with AWS services.

        2. Use the boto3 module to retrieve the ARN of the WAF web ACL that you want to associate with your API Gateway.

        ```
        import boto3

        # Create a WAF client
        waf_client = boto3.client('waf')

        # Retrieve the ARN of the WAF web ACL that you want to associate with your API Gateway
        web_acl_arn = waf_client.get_web_acl(WebACLId='web_acl_id')['WebACL']['ARN']
        ```

        3. Use the boto3 module to update the API Gateway to associate it with the WAF web ACL.

        ```
        # Create an API Gateway client
        apigateway_client = boto3.client('apigateway')

        # Update the API Gateway to associate it with the WAF web ACL
        apigateway_client.update_security_configuration(
            restApiId='rest_api_id',
            patchOperations=[
                {
                    'op': 'replace',
                    'path': '/wafWebAclArn',
                    'value': web_acl_arn
                }
            ]
        )
        ```

        Note: Replace `web_acl_id` with the ID of the WAF web ACL that you want to associate with your API Gateway, and replace `rest_api_id` with the ID of your API Gateway.

        4. Run the Python script to remediate the misconfiguration of API Gateway not being integrated with WAF in AWS.

        After following these steps, your API Gateway will be integrated with WAF, which will help protect your API from common web exploits and attacks.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html)
