- Newest
- Most votes
- Most comments
Hello,
WAF support for HTTP APIs is currently not supported.
As a workaround, you can front the API Gateway with Amazon CloudFront and enable WAF on CloudFront.
As ben_c mentioned you can put CloudFront in front of your API.
To prevent the direct call of your API and to only allow CloudFront to call your API is described in the Well-Architected Labs and follows best practices. https://wellarchitectedlabs.com/security/300_labs/300_multilayered_api_security_with_cognito_and_waf/3_prevent_requests_from_accessing_api_directly/
In general it is handled by inserting a specific header in CloudFront and check this header during the call.
Thank you so much for your answer: I followed the above tutorial, but in my case in Cloud Front, under Origins, mu Origin is an S3 bucket, not the API GW.
I have My CF distribution that has an S3 bucket as Origin and then behind it Have the API GW.
how can I do that in my case if my origin is my S3 bucket that contains static assets and not the API GW?
users => CF (with angular App in s3 bucket as Origin : my s3 is not configured with static website hosting) => API GW = > NLB => fargate cluster
@Marco the link you posted explaining how to prevent API Gateway to be reached directly, still relies on using WAF directly on the REST API (v1) to validate the custom origin header, but this is unsupported for HTTP APIs (v2), which is what the question was about in the first place. I think the only way this could work with HTTP API is by having a Lambda Authorizer that validates the custom header.
HTTP API does not support WAF. If you need it, use REST APIs. If you still want to use HTTP API, you should follow the recommendations done by others which is to use a CloudFront distribution in front of your API and make sure the request is coming from there.
Thank you so much for your answer: I followed the above tutorial, but in my case in Cloud Front, under Origins, mu Origin is an S3 bucket, not the API GW.
I have My CF distribution that has an S3 bucket as Origin and then behind it Have the API GW.
how can I do that in my case if my origin is my S3 bucket that contains static assets and not the API GW?
users => CF (with angular App in s3 bucket as Origin : my s3 is not configured with static website hosting) => API GW = > NLB => fargate cluster
Hi Uri, any plans to implement WAF for http gateway in the soon year? Isn't the cloudfront wrapper solution might cause some latency with that extra layer?
Relevant content
- asked 4 years ago
- asked 5 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
In this case how to prevent that we bypass the Cloud Front and hit the API GW directly