By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Associate WAF ACL with a specific resource paths from API Gateway

0

I am writing SAM template where I should have AWS::WAFv2::WebACLAssociation to associate the WAF with a specific resource paths inside the API Gateway Rest API.

In the documentation I have founded following example which describes how to associate an AWS WAF regional Web ACL with an API Gateway : ResourceArn: !Sub arn:aws:apigateway:${AWS::Region}::/restapis/${Api}/stages/Prod

where ${Api} = some API gateway

However, I cannot find an example of how to specify a resource path so that the WAF rules are not applied to all resource paths but just to a specified one. Any help or link to documentation would be really helpful.

Topics
Security, Identity, & ComplianceServerlessFront-End Web & MobileNetworking & Content DeliveryManagement & Governance
Tags
AWS WAFAmazon API GatewayAWS CloudFormationAWS Serverless Application Model (SAM)
Language
English
Mm
asked 2 months ago153 views
2 Answers
1

Hello.

I don't think it is possible to configure AWS WAF to be linked only to a specific resource path in API Gateway.
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html

For an Amazon API Gateway REST API: arn:partition:apigateway:region::/restapis/api-id/stages/stage-name

For example, I think it is possible to create a custom rule for AWS WAF and set it so that when access to a specific URL is not blocked by WAF.
https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-string-conditions.html#classic-web-acl-string-conditions-values

profile picture
EXPERT
Riku_Kobayashi
answered 2 months ago
  • Mm
    2 months ago

    Hello, thank you for the answer. Since I need different protection mechanisms for /admin API from /user API, do you think it is better option to create 2 separate API Gateways, one for domain.com/user and other for domain.com/admin (different gateways, not mappings, since I cannot associate BasePathMapping with WAF) , or to go on with scope-down statements? For the /admin API i need authorization key in header (which I planned to check on waf level with string match) and IP allow rule, so only the admin IP is allowed to access. For the /user API I need lambda authorizer with custom authentication, Rate limit rules and DDOS prevent rules.

1

You can use scope-down statements within AWS WAF to achieve this.

AWS
EXPERT
Paul_L
answered 2 months ago
  • Mm
    2 months ago

    Hello, thank you for the answer. Since I need different protection mechanisms for /admin API from /user API, do you think it is better option to create 2 separate API Gateways, one for domain.com/user and other for domain.com/admin (different gateways, not mappings, since I cannot associate BasePathMapping with WAF) , or to go on with scope-down statements? For the /admin API i need authorization key in header (which I planned to check on waf level with string match) and IP allow rule, so only the admin IP is allowed to access. For the /user API I need lambda authorizer with custom authentication, Rate limit rules and DDOS prevent rules.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content