Protect HTTP Api Gateway with WAF

Hi team, I using HTTP API Gateway (not REST API GateWay),

is there a way to make the HTTP Api Gateway to use/support WAF ?

Thank you.

Argomenti

Computazionali Sicurezza, identità e conformità Serverless Front-end web e dispositivi mobili Networking e distribuzione di contenuti Microservizi

Tag

Provisioning di siti web AWS WAF Gateway API di Amazon Microservizi

Lingua

English

Jess

posta 2 anni fa7471 visualizzazioni

3 Risposte

Più recenti
Maggior numero di voti
Maggior numero di commenti

Hello,

WAF support for HTTP APIs is currently not supported.

As a workaround, you can front the API Gateway with Amazon CloudFront and enable WAF on CloudFront.

ben_c

con risposta 2 anni fa

Jess
2 anni fa
In this case how to prevent that we bypass the Cloud Front and hit the API GW directly

As ben_c mentioned you can put CloudFront in front of your API.

To prevent the direct call of your API and to only allow CloudFront to call your API is described in the Well-Architected Labs and follows best practices. https://wellarchitectedlabs.com/security/300_labs/300_multilayered_api_security_with_cognito_and_waf/3_prevent_requests_from_accessing_api_directly/

In general it is handled by inserting a specific header in CloudFront and check this header during the call.

Marco

con risposta 2 anni fa

Jess
2 anni fa
Thank you so much for your answer: I followed the above tutorial, but in my case in Cloud Front, under Origins, mu Origin is an S3 bucket, not the API GW.

I have My CF distribution that has an S3 bucket as Origin and then behind it Have the API GW.

how can I do that in my case if my origin is my S3 bucket that contains static assets and not the API GW?

users => CF (with angular App in s3 bucket as Origin : my s3 is not configured with static website hosting) => API GW = > NLB => fargate cluster
hopscotch-devops
2 anni fa
@Marco the link you posted explaining how to prevent API Gateway to be reached directly, still relies on using WAF directly on the REST API (v1) to validate the custom origin header, but this is unsupported for HTTP APIs (v2), which is what the question was about in the first place. I think the only way this could work with HTTP API is by having a Lambda Authorizer that validates the custom header.

HTTP API does not support WAF. If you need it, use REST APIs. If you still want to use HTTP API, you should follow the recommendations done by others which is to use a CloudFront distribution in front of your API and make sure the request is coming from there.

ESPERTO

Uri

con risposta 2 anni fa

Jess
2 anni fa
Thank you so much for your answer: I followed the above tutorial, but in my case in Cloud Front, under Origins, mu Origin is an S3 bucket, not the API GW.

I have My CF distribution that has an S3 bucket as Origin and then behind it Have the API GW.

how can I do that in my case if my origin is my S3 bucket that contains static assets and not the API GW?

users => CF (with angular App in s3 bucket as Origin : my s3 is not configured with static website hosting) => API GW = > NLB => fargate cluster
Yedidya_OwnID
2 anni fa
Hi Uri, any plans to implement WAF for http gateway in the soon year? Isn't the cloudfront wrapper solution might cause some latency with that extra layer?

Contenuto pertinente

Come posso risolvere gli errori "HTTP 403 Forbidden" (HTTP 403 Non consentito) quando richiamo la mia API con l'autenticazione IAM multi-account per API Gateway?
AWS UFFICIALEAggiornata 2 anni fa
Come posso risolvere gli errori HTTP 403 Forbidden quando utilizzo un sistema di autorizzazione Lambda con una REST API di API Gateway?
AWS UFFICIALEAggiornata 2 anni fa
Come posso risolvere gli errori HTTP 502 generati dalle REST API di Gateway API con l'integrazione proxy Lambda?
AWS UFFICIALEAggiornata 2 anni fa
Come posso disattivare l'endpoint predefinito di Gateway API per le REST API o API HTTP?
AWS UFFICIALEAggiornata un anno fa