secure API GW with WAF

0

Hi team,

I want to secure my Http API GW (not REST API GW) with WAF, as the HTTP API GW doesn't support the WAF I read this article to do the workaround :

https://wellarchitectedlabs.com/security/300_labs/300_multilayered_api_security_with_cognito_and_waf/3_prevent_requests_from_accessing_api_directly/

but in my case the origin of my distribution is an S3 bucket (static website hosting is not enabled) that host Angular APP :

**users **=> CloudFront (with angular App in s3 bucket as Origin : this s3 bucket is not configured with static website hosting because content is served from CloudFront not directly from S3) => API GW = > **NLB **=> fargate cluster

is there a way to use the method explained in the above article when my origin is an S3 bucket with no static web hosting enabled ?

my objective is to protect my HTTP API GW with WAF, the solution on the article is perfect with custom header and secret manager but not applicable in my case because my DF distribution has S3 as origin.

2 Answers
0

It doesn't matter where the client downloaded the app from. If the app makes a request to the API via CloudFront, it should work.

profile pictureAWS
EXPERT
Uri
answered 2 years ago
  • yes but how can prevent users to bypass CF and hit directly the HTTP API ? the solution on the article on my question assumes that origin is not S3 so that the WAF associated to that origin can read the WAF rule and block access. But in my case :

    Users => CloudFront (with angular App in s3 bucket as Origin : this s3 bucket is not configured with static website hosting because content is served from CloudFront not directly from S3) => API GW = > NLB => fargate cluster

    I added custom header = X-Origin-Verify to my distribution with the secret value

    also added the WAF rule, but the waf is only linked to CF distribution since my HTTP API GW doesn't support WAF. And that's my whole point to work around and secure my HTTP API with WAF.

    So in my scenario (as detailed on the question above) how can I prevent users to hit directly my HTTP GW

0

S3 is your Origin. To prevent bypass CF to download from S3 you must restrict the Acces to the Origin Identity from CloudFront. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

If you use the example from the Lab it is not possible to bypass anything to access your Api Gateway. It requires the Header with a secret value which only CloudFront knows. As long as this secret keeps secret it is not possible to access API Gatway. You can make requests but that requests result in an error.

AWS
Marco
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions