- Newest
- Most votes
- Most comments
Hello.
I don't think it is possible to configure AWS WAF to be linked only to a specific resource path in API Gateway.
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html
For an Amazon API Gateway REST API: arn:partition:apigateway:region::/restapis/api-id/stages/stage-name
For example, I think it is possible to create a custom rule for AWS WAF and set it so that when access to a specific URL is not blocked by WAF.
https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-string-conditions.html#classic-web-acl-string-conditions-values
You can use scope-down statements within AWS WAF to achieve this.
Hello, thank you for the answer. Since I need different protection mechanisms for /admin API from /user API, do you think it is better option to create 2 separate API Gateways, one for domain.com/user and other for domain.com/admin (different gateways, not mappings, since I cannot associate BasePathMapping with WAF) , or to go on with scope-down statements? For the /admin API i need authorization key in header (which I planned to check on waf level with string match) and IP allow rule, so only the admin IP is allowed to access. For the /user API I need lambda authorizer with custom authentication, Rate limit rules and DDOS prevent rules.
Relevant content
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 7 months ago
Hello, thank you for the answer. Since I need different protection mechanisms for /admin API from /user API, do you think it is better option to create 2 separate API Gateways, one for domain.com/user and other for domain.com/admin (different gateways, not mappings, since I cannot associate BasePathMapping with WAF) , or to go on with scope-down statements? For the /admin API i need authorization key in header (which I planned to check on waf level with string match) and IP allow rule, so only the admin IP is allowed to access. For the /user API I need lambda authorizer with custom authentication, Rate limit rules and DDOS prevent rules.