AppSync Should Be Associated With WAF
More Info:
This rule verifies whether AWS AppSync resources are associated with AWS WAF (Web Application Firewall) to protect against common web exploits and security vulnerabilities. Associating AppSync with WAF allows for the enforcement of custom access control rules and provides an additional layer of security against malicious trafficRisk Level
HighAddress
SecurityCompliance Standards
CBPTriage and Remediation
Check Cause
Using Console
Using Console
- Sign in to the AWS Management Console.
- Navigate to the AWS AppSync service. You can find this by typing ‘AppSync’ into the search bar at the top of the console.
- Once in the AppSync dashboard, select the API that you want to check for WAF association.
- In the settings or details of the selected API, look for a section or field related to AWS WAF. If the API is associated with a WAF, it should be listed here. If there is no such section or the field is empty, then the API is not associated with a WAF.
Using CLI
Using CLI
- First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the resources.
-
Once the AWS CLI is set up, you can list all the AppSync APIs in your account by running the following command:
Replace ‘your-region’ with the region where your resources are located. This command will return a list of all the AppSync APIs in the specified region.
-
For each AppSync API, you can check if it is associated with a Web Application Firewall (WAF) by running the following command:
This command will list all the Web ACLs in the specified region. You need to check if the ARN of your AppSync API is present in the list.
- If the ARN of your AppSync API is not present in the list, it means that the API is not associated with a WAF. You can use a Python script to automate this process. The script will iterate over all the AppSync APIs and check if they are associated with a WAF. If an API is not associated with a WAF, the script will print a message indicating the misconfiguration.
Using Python
Using Python
To check if AppSync is associated with WAF in AWS using Python scripts, you can use the AWS SDK for Python (Boto3). Here are the steps:
-
Setup AWS SDK for Python (Boto3):
First, you need to set up Boto3 on your machine. You can install it using pip:
Then, configure your AWS credentials. You can do this by creating the files ~/.aws/credentials and ~/.aws/config:
-
Create a Python script to list all AppSync APIs:
Use the
list_graphql_apismethod to get all the AppSync APIs. Here is a sample script:This script will print the name and ID of all your AppSync APIs. -
Create a Python script to get the WAF web ACL for each AppSync API:
Use the
get_web_acl_for_resourcemethod to get the WAF web ACL for each AppSync API. Here is a sample script:Replace ‘YourApiId’ with the ID of your AppSync API. This script will print the WAF web ACL for the specified AppSync API. -
Check if the WAF web ACL is associated with the AppSync API:
If the
get_web_acl_for_resourcemethod returns a web ACL, then the AppSync API is associated with WAF. If it returns an error or an empty result, then the AppSync API is not associated with WAF. You can add this check to your script:This script will print whether the specified AppSync API is associated with WAF or not.