Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Associate WAF ACL with a specific resource paths from API Gateway

0

I am writing SAM template where I should have AWS::WAFv2::WebACLAssociation to associate the WAF with a specific resource paths inside the API Gateway Rest API.

In the documentation I have founded following example which describes how to associate an AWS WAF regional Web ACL with an API Gateway : ResourceArn: !Sub arn:aws:apigateway:${AWS::Region}::/restapis/${Api}/stages/Prod

where ${Api} = some API gateway

However, I cannot find an example of how to specify a resource path so that the WAF rules are not applied to all resource paths but just to a specified one. Any help or link to documentation would be really helpful.

Argomenti
Sicurezza, identità e conformitàServerlessFront-end web e dispositivi mobiliNetworking e distribuzione di contenutiGestione e amministrazione
Tag
AWS WAFGateway API di AmazonAWS CloudFormationModello di applicazione serverless AWS (SAM)
Lingua
English
Mm
posta 3 mesi fa166 visualizzazioni
2 Risposte
1

Hello.

I don't think it is possible to configure AWS WAF to be linked only to a specific resource path in API Gateway.
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html

For an Amazon API Gateway REST API: arn:partition:apigateway:region::/restapis/api-id/stages/stage-name

For example, I think it is possible to create a custom rule for AWS WAF and set it so that when access to a specific URL is not blocked by WAF.
https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-string-conditions.html#classic-web-acl-string-conditions-values

profile picture
ESPERTO
Riku_Kobayashi
con risposta 3 mesi fa
  • Mm
    3 mesi fa

    Hello, thank you for the answer. Since I need different protection mechanisms for /admin API from /user API, do you think it is better option to create 2 separate API Gateways, one for domain.com/user and other for domain.com/admin (different gateways, not mappings, since I cannot associate BasePathMapping with WAF) , or to go on with scope-down statements? For the /admin API i need authorization key in header (which I planned to check on waf level with string match) and IP allow rule, so only the admin IP is allowed to access. For the /user API I need lambda authorizer with custom authentication, Rate limit rules and DDOS prevent rules.

1

You can use scope-down statements within AWS WAF to achieve this.

AWS
ESPERTO
Paul_L
con risposta 3 mesi fa
  • Mm
    3 mesi fa

    Hello, thank you for the answer. Since I need different protection mechanisms for /admin API from /user API, do you think it is better option to create 2 separate API Gateways, one for domain.com/user and other for domain.com/admin (different gateways, not mappings, since I cannot associate BasePathMapping with WAF) , or to go on with scope-down statements? For the /admin API i need authorization key in header (which I planned to check on waf level with string match) and IP allow rule, so only the admin IP is allowed to access. For the /user API I need lambda authorizer with custom authentication, Rate limit rules and DDOS prevent rules.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente