使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Associate WAF ACL with a specific resource paths from API Gateway

0

I am writing SAM template where I should have AWS::WAFv2::WebACLAssociation to associate the WAF with a specific resource paths inside the API Gateway Rest API.

In the documentation I have founded following example which describes how to associate an AWS WAF regional Web ACL with an API Gateway : ResourceArn: !Sub arn:aws:apigateway:${AWS::Region}::/restapis/${Api}/stages/Prod

where ${Api} = some API gateway

However, I cannot find an example of how to specify a resource path so that the WAF rules are not applied to all resource paths but just to a specified one. Any help or link to documentation would be really helpful.

主題
安全性、身分識別與合規無伺服器前端網頁與行動裝置網路與內容交付管理與治理
標籤
AWS WAFAmazon API GatewayAWS CloudFormationAWS Serverless Application Model (SAM)
語言
English
Mm
已提問 3 個月前檢視次數 166 次
2 個答案
1

Hello.

I don't think it is possible to configure AWS WAF to be linked only to a specific resource path in API Gateway.
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html

For an Amazon API Gateway REST API: arn:partition:apigateway:region::/restapis/api-id/stages/stage-name

For example, I think it is possible to create a custom rule for AWS WAF and set it so that when access to a specific URL is not blocked by WAF.
https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-string-conditions.html#classic-web-acl-string-conditions-values

profile picture
專家
Riku_Kobayashi
已回答 3 個月前
  • Mm
    3 個月前

    Hello, thank you for the answer. Since I need different protection mechanisms for /admin API from /user API, do you think it is better option to create 2 separate API Gateways, one for domain.com/user and other for domain.com/admin (different gateways, not mappings, since I cannot associate BasePathMapping with WAF) , or to go on with scope-down statements? For the /admin API i need authorization key in header (which I planned to check on waf level with string match) and IP allow rule, so only the admin IP is allowed to access. For the /user API I need lambda authorizer with custom authentication, Rate limit rules and DDOS prevent rules.

1

You can use scope-down statements within AWS WAF to achieve this.

AWS
專家
Paul_L
已回答 3 個月前
  • Mm
    3 個月前

    Hello, thank you for the answer. Since I need different protection mechanisms for /admin API from /user API, do you think it is better option to create 2 separate API Gateways, one for domain.com/user and other for domain.com/admin (different gateways, not mappings, since I cannot associate BasePathMapping with WAF) , or to go on with scope-down statements? For the /admin API i need authorization key in header (which I planned to check on waf level with string match) and IP allow rule, so only the admin IP is allowed to access. For the /user API I need lambda authorizer with custom authentication, Rate limit rules and DDOS prevent rules.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容