> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# AppSync Should Be Associated With WAF

### More Info:

This rule verifies whether AWS AppSync resources are associated with AWS WAF (Web Application Firewall) to protect against common web exploits and security vulnerabilities. Associating AppSync with WAF allows for the enforcement of custom access control rules and provides an additional layer of security against malicious traffic

### Risk Level

High

### Address

Security

### Compliance Standards

CBP

### Triage and Remediation

<Tabs>
  <Tab title="Cause">
    ### Check Cause

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        1. Sign in to the AWS Management Console.
        2. Navigate to the AWS AppSync service. You can find this by typing 'AppSync' into the search bar at the top of the console.
        3. Once in the AppSync dashboard, select the API that you want to check for WAF association.
        4. In the settings or details of the selected API, look for a section or field related to AWS WAF. If the API is associated with a WAF, it should be listed here. If there is no such section or the field is empty, then the API is not associated with a WAF.
      </Accordion>

      <Accordion title="Using CLI">
        1. First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the resources.

        2. Once the AWS CLI is set up, you can list all the AppSync APIs in your account by running the following command:

           ```
           aws appsync list-graphql-apis --region your-region
           ```

           Replace 'your-region' with the region where your resources are located. This command will return a list of all the AppSync APIs in the specified region.

        3. For each AppSync API, you can check if it is associated with a Web Application Firewall (WAF) by running the following command:

           ```
           aws wafv2 list-web-acls --scope REGIONAL --region your-region
           ```

           This command will list all the Web ACLs in the specified region. You need to check if the ARN of your AppSync API is present in the list.

        4. If the ARN of your AppSync API is not present in the list, it means that the API is not associated with a WAF. You can use a Python script to automate this process. The script will iterate over all the AppSync APIs and check if they are associated with a WAF. If an API is not associated with a WAF, the script will print a message indicating the misconfiguration.
      </Accordion>

      <Accordion title="Using Python">
        To check if AppSync is associated with WAF in AWS using Python scripts, you can use the AWS SDK for Python (Boto3). Here are the steps:

        1. **Setup AWS SDK for Python (Boto3):**
           First, you need to set up Boto3 on your machine. You can install it using pip:
           ```
           pip install boto3
           ```
           Then, configure your AWS credentials. You can do this by creating the files \~/.aws/credentials and \~/.aws/config:
           ```
           ~/.aws/credentials:
           [default]
           aws_access_key_id = YOUR_ACCESS_KEY
           aws_secret_access_key = YOUR_SECRET_KEY

           ~/.aws/config:
           [default]
           region=us-east-1
           ```

        2. **Create a Python script to list all AppSync APIs:**
           Use the `list_graphql_apis` method to get all the AppSync APIs. Here is a sample script:
           ```python theme={null}
           import boto3

           client = boto3.client('appsync')

           response = client.list_graphql_apis()

           for api in response['graphqlApis']:
               print(api['name'], api['apiId'])
           ```
           This script will print the name and ID of all your AppSync APIs.

        3. **Create a Python script to get the WAF web ACL for each AppSync API:**
           Use the `get_web_acl_for_resource` method to get the WAF web ACL for each AppSync API. Here is a sample script:
           ```python theme={null}
           import boto3

           client = boto3.client('wafv2')

           response = client.get_web_acl_for_resource(
               ResourceArn='arn:aws:appsync:us-east-1:123456789012:apis/YourApiId'
           )

           print(response['WebACL'])
           ```
           Replace 'YourApiId' with the ID of your AppSync API. This script will print the WAF web ACL for the specified AppSync API.

        4. **Check if the WAF web ACL is associated with the AppSync API:**
           If the `get_web_acl_for_resource` method returns a web ACL, then the AppSync API is associated with WAF. If it returns an error or an empty result, then the AppSync API is not associated with WAF. You can add this check to your script:
           ```python theme={null}
           if 'WebACL' in response:
               print('AppSync API is associated with WAF')
           else:
               print('AppSync API is not associated with WAF')
           ```
           This script will print whether the specified AppSync API is associated with WAF or not.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To associate AWS AppSync with AWS WAF (Web Application Firewall) in AWS console, follow these steps:

        1. **Sign in to the AWS Management Console:**
           Go to [https://aws.amazon.com/](https://aws.amazon.com/) and sign in to the AWS Management Console using your credentials.

        2. **Navigate to AWS AppSync service:**
           Click on the "Services" dropdown menu at the top of the console, search for "AppSync" in the search bar, and click on "AWS AppSync" to open the AWS AppSync console.

        3. **Select the AppSync API:**
           In the AWS AppSync console, select the API that you want to associate with AWS WAF from the list of APIs displayed.

        4. **Click on "Settings" tab:**
           Once you have selected the API, click on the "Settings" tab in the left-hand menu to configure the settings for the selected API.

        5. **Enable AWS WAF:**
           In the "Settings" tab, look for the "Security" section and find the option to enable AWS WAF. Click on the "Edit" button next to the AWS WAF option.

        6. **Associate AWS WAF with the API:**
           In the AWS WAF configuration settings, you can choose to associate an existing AWS WAF web ACL with the API or create a new web ACL. Select the appropriate option based on your requirements.

        7. **Configure AWS WAF settings:**
           If you are creating a new web ACL, follow the on-screen instructions to configure the AWS WAF settings such as rules, conditions, and actions to protect your API from common web exploits and attacks.

        8. **Save the changes:**
           After configuring the AWS WAF settings, click on the "Save" or "Update" button to associate AWS WAF with the selected AppSync API.

        9. **Verify the association:**
           Once the changes are saved, verify that AWS WAF is successfully associated with the AWS AppSync API by checking the settings and configurations in the AWS AppSync console.

        By following these steps, you can remediate the misconfiguration by associating AWS AppSync with AWS WAF in the AWS console to enhance the security of your API.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To associate AWS AppSync with AWS WAF using AWS CLI, follow these steps:

        1. Create a WebACL in AWS WAF:

        ```bash theme={null}
        aws wafv2 create-web-acl --name "MyAppSyncWebACL" --scope REGIONAL --default-action "Allow={}" --description "WebACL for protecting AppSync"
        ```

        2. Get the WebACL ARN:

        ```bash theme={null}
        export WEBACL_ARN=$(aws wafv2 list-web-acls --scope REGIONAL --query "WebACLs[?Name=='MyAppSyncWebACL'].ARN" --output text)
        ```

        3. Update the AWS AppSync API with the WebACL ARN:

        ```bash theme={null}
        aws appsync update-graphql-api --api-id YOUR_API_ID --additional-authentication-providers "WAF={WebACLArn=$WEBACL_ARN}"
        ```

        Replace `YOUR_API_ID` with the ID of your AWS AppSync API.

        4. Verify the association by checking the AWS AppSync API details:

        ```bash theme={null}
        aws appsync get-graphql-api --api-id YOUR_API_ID --query "additionalAuthenticationProviders"
        ```

        Now, your AWS AppSync API is associated with AWS WAF for protection.
      </Accordion>

      <Accordion title="Using Python">
        To associate AWS AppSync with AWS WAF (Web Application Firewall) using Python, you can follow these steps:

        1. Import the necessary libraries:

        ```python theme={null}
        import boto3
        ```

        2. Initialize the AWS clients for AppSync and WAF:

        ```python theme={null}
        appsync_client = boto3.client('appsync')
        wafv2_client = boto3.client('wafv2')
        ```

        3. Get the API ID of your AWS AppSync API:

        ```python theme={null}
        response = appsync_client.list_graph_ql_apis()
        api_id = response['graphQLApis'][0]['apiId']
        ```

        4. Create a WebACL in AWS WAF:

        ```python theme={null}
        web_acl_response = wafv2_client.create_web_acl(
            Name='MyAppSyncWebACL',
            Scope='REGIONAL',  # or set it to 'CLOUDFRONT' if using a CloudFront distribution
            DefaultAction={
                'Allow': {}
            },
            Description='WebACL for protecting AppSync API',
            Rules=[]
        )
        web_acl_id = web_acl_response['WebACL']['Id']
        ```

        5. Associate the WebACL with your AWS AppSync API:

        ```python theme={null}
        appsync_client.associate_web_acl(
            ApiId=api_id,
            WebAclArn=web_acl_id
        )
        ```

        6. Verify the association:

        ```python theme={null}
        response = appsync_client.get_web_acl_association(
            ApiId=api_id
        )
        print(response)
        ```

        By following these steps, you can associate AWS AppSync with AWS WAF using Python. This will help protect your AppSync API from common web attacks and vulnerabilities.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>
