Is websocket api is protected by AWS WAF ?

0

Hi
Can you please let me know is AWS websocket API is protected AWS WAF as im not able to see any configuration related to WAF in stage or AWS documentation ?

If it is not protected by WAF then how Websocket is protected .Can you please explain as this important for us as earlier we thought to use rest API and it is protected by WAF but we didnt see anything for Websocket API .

kakollu
asked 2 years ago1026 views
5 Answers
0

As of now, WAF cannot be used with a WebSocket API in Amazon API Gateway.
Can you please elaborate your use cases for how you want to protect your WebSocket API?

answered 2 years ago
0

Our Websocket API is consumed by the mobile app/web i.e, our endpoint are exposed publicly outside.From AWS WAF documentation understood that "WS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits and it will try to control the traffic and provide security from common attack"

So, can you please explain if WAF is not supported with Websocket API then how our API's can be protected by such web exploits or common attack..etc which WAF is providing?

Is there any tentative time for providing WAF support for websocket API or is there any service which can be used for protection like WAF for WS API?

kakollu
answered 2 years ago
0

There isn't a same level/convenience of protection what WAF provides. However, by configuring appropriate access control and throttling, you can protect your API from most threats. By nature of stateful API, you should focus on when the connection is established, $connect route in the WebSocket API.

The simplest/lightweight solution is using api key and usage plan. You can optionally require an API key for $connect route, and use it together with usage plan. Additionally, you can configure authorization on the $connect.
https://docs.aws.amazon.com/apigateway/latest/developerguide/websocket-api-develop-routes.html
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-control-access.html

API Gateway also provides account-level throttling and route-level throttling.
https://docs.aws.amazon.com/apigateway/latest/developerguide/websocket-api-protect.html

Please note that API Gateway doesn't charge you when the request is unauthorized (you need to pay for Lambda cost if you use Lambda authorizer) or throttled.

In addition to it, I suggest to find your own way to monitor the activity of the client. For example, you can send a certain question message (e.g. What is 5+3?) to the client periodically. If the client doesn't provide an answer (It's 8) in the meantime, you can suspect the client is abnormal. If you identify suspicious activities from a certain client, you could disconnect the client with @connection API or Management SDK. If you continue to see the same behavior from a certain client on the same IP address, then you may deny the connection from the IP address within your authorizer.

I understand this answer might not be sufficient to you and apologize that I can't provide a tentative timeline for the WAF support.

answered 2 years ago
0

Hi ,
I have created cloudfront for websocket API as AWS announced it support with the help of below links.

After creating cloudfront , able to configure the AWS WAF and consume websocket API's using clients like websocket Echo/simple websocket client.

But when I use WSCAT command to connect API im getting error as "error: Unexpected server response: 403".Can you please let me know why we are getting different response for same endpoint?

Also I see in API GW documentation that custom domain is not supported for websocket API with Edge-optimized which will create cloudfront .I assume this is same as above ,please let me know if that is different.

let me know if this approach of creating cloud-front for enabling WAF is correct or not.

https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-cloudfront-announces-support-for-the-websocket-protocol/
https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?templateURL=https://s3.amazonaws.com/computeblog-us-east-1/apigateway-waf/cfn-cloudfront-apigw.yaml

kakollu
answered 2 years ago
0

Hi ,
As mentioned in the above post, I have created cloudfront and attached the execute api uri under Origins and attached custom domain for the CF URI.I try to connect the websocket URL using WSCAT with new custom domain and it is working as excepted but when I try using websocket connection URL for send messaged to connection (using AWS V4 signature ) it is failing with below error.

when I use same signature (access key and secret) it is working as excepted .Can you please let me know if we need to do any addition settings in cloudfront.
i have tested using postman for invoking the connection URL for both the URL (cloudfront and execute api )
ERROR:-
{
"message": "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n\nThe Canonical String for this request should have been\n'POST\n/dev/%40connections/T-9paezXFiACHOQ%3D\n\nhost:.execute-api.eu-central-1.amazonaws.com\nx-amz-content-sha256:*******\nx-amz-date:20201006T101827Z\nx-amz-security-token://////////***********************************************************\n\nhost;x-amz-content-sha256;x-amz-date;x-amz-security-token*46340bb665ca7adebb849'\n\nThe String-to-Sign should have been\n'AWS4-HMAC-SHA256\n20201006T101827Z\n20201006/eu-central-1/execute-api/aws4_request********************'\n"
}

kakollu
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions