AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
AppSync Should Be Associated With WAF
More Info:
This rule verifies whether AWS AppSync resources are associated with AWS WAF (Web Application Firewall) to protect against common web exploits and security vulnerabilities. Associating AppSync with WAF allows for the enforcement of custom access control rules and provides an additional layer of security against malicious traffic
Risk Level
High
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To associate AWS AppSync with AWS WAF (Web Application Firewall) in AWS console, follow these steps:
-
Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to the AWS Management Console using your credentials.
-
Navigate to AWS AppSync service: Click on the “Services” dropdown menu at the top of the console, search for “AppSync” in the search bar, and click on “AWS AppSync” to open the AWS AppSync console.
-
Select the AppSync API: In the AWS AppSync console, select the API that you want to associate with AWS WAF from the list of APIs displayed.
-
Click on “Settings” tab: Once you have selected the API, click on the “Settings” tab in the left-hand menu to configure the settings for the selected API.
-
Enable AWS WAF: In the “Settings” tab, look for the “Security” section and find the option to enable AWS WAF. Click on the “Edit” button next to the AWS WAF option.
-
Associate AWS WAF with the API: In the AWS WAF configuration settings, you can choose to associate an existing AWS WAF web ACL with the API or create a new web ACL. Select the appropriate option based on your requirements.
-
Configure AWS WAF settings: If you are creating a new web ACL, follow the on-screen instructions to configure the AWS WAF settings such as rules, conditions, and actions to protect your API from common web exploits and attacks.
-
Save the changes: After configuring the AWS WAF settings, click on the “Save” or “Update” button to associate AWS WAF with the selected AppSync API.
-
Verify the association: Once the changes are saved, verify that AWS WAF is successfully associated with the AWS AppSync API by checking the settings and configurations in the AWS AppSync console.
By following these steps, you can remediate the misconfiguration by associating AWS AppSync with AWS WAF in the AWS console to enhance the security of your API.
To associate AWS AppSync with AWS WAF using AWS CLI, follow these steps:
- Create a WebACL in AWS WAF:
aws wafv2 create-web-acl --name "MyAppSyncWebACL" --scope REGIONAL --default-action "Allow={}" --description "WebACL for protecting AppSync"
- Get the WebACL ARN:
export WEBACL_ARN=$(aws wafv2 list-web-acls --scope REGIONAL --query "WebACLs[?Name=='MyAppSyncWebACL'].ARN" --output text)
- Update the AWS AppSync API with the WebACL ARN:
aws appsync update-graphql-api --api-id YOUR_API_ID --additional-authentication-providers "WAF={WebACLArn=$WEBACL_ARN}"
Replace YOUR_API_ID with the ID of your AWS AppSync API.
- Verify the association by checking the AWS AppSync API details:
aws appsync get-graphql-api --api-id YOUR_API_ID --query "additionalAuthenticationProviders"
Now, your AWS AppSync API is associated with AWS WAF for protection.
To associate AWS AppSync with AWS WAF (Web Application Firewall) using Python, you can follow these steps:
- Import the necessary libraries:
import boto3
- Initialize the AWS clients for AppSync and WAF:
appsync_client = boto3.client('appsync')
wafv2_client = boto3.client('wafv2')
- Get the API ID of your AWS AppSync API:
response = appsync_client.list_graph_ql_apis()
api_id = response['graphQLApis'][0]['apiId']
- Create a WebACL in AWS WAF:
web_acl_response = wafv2_client.create_web_acl(
Name='MyAppSyncWebACL',
Scope='REGIONAL', # or set it to 'CLOUDFRONT' if using a CloudFront distribution
DefaultAction={
'Allow': {}
},
Description='WebACL for protecting AppSync API',
Rules=[]
)
web_acl_id = web_acl_response['WebACL']['Id']
- Associate the WebACL with your AWS AppSync API:
appsync_client.associate_web_acl(
ApiId=api_id,
WebAclArn=web_acl_id
)
- Verify the association:
response = appsync_client.get_web_acl_association(
ApiId=api_id
)
print(response)
By following these steps, you can associate AWS AppSync with AWS WAF using Python. This will help protect your AppSync API from common web attacks and vulnerabilities.