Protect HTTP Api Gateway with WAF

0

Hi team, I using HTTP API Gateway (not REST API GateWay),

is there a way to make the HTTP Api Gateway to use/support WAF ?

Thank you.

3 Answers
3

Hello,

WAF support for HTTP APIs is currently not supported.

As a workaround, you can front the API Gateway with Amazon CloudFront and enable WAF on CloudFront.

ben_c
answered 8 months ago
  • In this case how to prevent that we bypass the Cloud Front and hit the API GW directly

2

As ben_c mentioned you can put CloudFront in front of your API.

To prevent the direct call of your API and to only allow CloudFront to call your API is described in the Well-Architected Labs and follows best practices. https://wellarchitectedlabs.com/security/300_labs/300_multilayered_api_security_with_cognito_and_waf/3_prevent_requests_from_accessing_api_directly/

In general it is handled by inserting a specific header in CloudFront and check this header during the call.

Marco
answered 8 months ago
  • Thank you so much for your answer: I followed the above tutorial, but in my case in Cloud Front, under Origins, mu Origin is an S3 bucket, not the API GW.

    I have My CF distribution that has an S3 bucket as Origin and then behind it Have the API GW.

    how can I do that in my case if my origin is my S3 bucket that contains static assets and not the API GW?

    users => CF (with angular App in s3 bucket as Origin : my s3 is not configured with static website hosting) => API GW = > NLB => fargate cluster

  • @Marco the link you posted explaining how to prevent API Gateway to be reached directly, still relies on using WAF directly on the REST API (v1) to validate the custom origin header, but this is unsupported for HTTP APIs (v2), which is what the question was about in the first place. I think the only way this could work with HTTP API is by having a Lambda Authorizer that validates the custom header.

0

HTTP API does not support WAF. If you need it, use REST APIs. If you still want to use HTTP API, you should follow the recommendations done by others which is to use a CloudFront distribution in front of your API and make sure the request is coming from there.

profile picture
EXPERT
Uri
answered 8 months ago
  • Thank you so much for your answer: I followed the above tutorial, but in my case in Cloud Front, under Origins, mu Origin is an S3 bucket, not the API GW.

    I have My CF distribution that has an S3 bucket as Origin and then behind it Have the API GW.

    how can I do that in my case if my origin is my S3 bucket that contains static assets and not the API GW?

    users => CF (with angular App in s3 bucket as Origin : my s3 is not configured with static website hosting) => API GW = > NLB => fargate cluster

  • Hi Uri, any plans to implement WAF for http gateway in the soon year? Isn't the cloudfront wrapper solution might cause some latency with that extra layer?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions