Public API gateway not configured with AWS Web Application Firewall v2 (AWS WAFv2)
Description
AWS WAF is a web application firewall service that helps protect your web applications and APIs from common web exploits that could affect your application's availability, integrity, or confidentiality. By attaching AWS WAF to your public API gateway, you can create rules that block or allow traffic based on the characteristics of the traffic, such as the IP address, the HTTP method, or the values of specific headers. This can help to protect your API from common web exploits such as SQL injection attacks, cross-site scripting attacks, and other types of malicious traffic.
Code Example
go
resource "aws_api_gateway_rest_api" "edge" {
name = var.name
policy = ""
endpoint_configuration {
types = ["EDGE"]
}
}
resource "aws_api_gateway_stage" "wafv2_edge" {
deployment_id = aws_api_gateway_deployment.example.id
rest_api_id = aws_api_gateway_rest_api.edge.id
stage_name = "example"
}
resource "aws_wafv2_web_acl_association" "edge" {
resource_arn = aws_api_gateway_stage.wafv2_edge.arn
web_acl_id = aws_wafv2_web_acl.foo.id
}Remediation
Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0463 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AWS_29 |