Amazon API Gateway integration with AWS WAF

Amazon API Gateway integration with AWS WAF

Introduction

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Ma…


This content originally appeared on DEV Community 👩‍💻👨‍💻 and was authored by Binh Bui

Amazon API Gateway integration with AWS WAF

Amazon API Gateway integration with AWS WAF

Introduction

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create an API that acts as a “front door” for applications to access data, business logic, or functionality from your back-end services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, or any web application.

Amazon API Gateway supports several types of integrations with AWS services and third-party services. In this post, we will focus on the integration with AWS WAF. AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter specific traffic patterns, such as requests from specific IP addresses or referring websites.

Why use Amazon API Gateway integration with AWS WAF?

Amazon API Gateway integration with AWS WAF is a great way to protect your APIs from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your APIs by defining customizable web security rules. You can use AWS WAF to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter specific traffic patterns, such as requests from specific IP addresses or referring websites.

Demo - Amazon API Gateway integration with AWS WAF by using AWS CDK

In this demo, we will create an API Gateway API with a single GET method that will return a JSON response. We will then create a WAF rule that will block requests from a specific IP address. We will then test the API and see that the request is blocked. We will then remove the WAF rule and test the API again to see that the request is allowed.

Create an API Gateway API

First, we will create an API Gateway API with a single GET method that will return a JSON response. We will use the AWS CDK to create the API Gateway API.

// lambda function
const testFn = new NodejsFunction(this, 'MyFunction', {
  entry: './function/index.ts',
  runtime: lambda.Runtime.NODEJS_18_X,
  handler: 'main',
  bundling: {
    externalModules: ['aws-sdk'],
    minify: true,
  },
})

// api gateway, this is just for testing
const api = new apigateway.LambdaRestApi(this, 'test-api', {
  handler: testFn,
  deployOptions: {
    stageName: 'test',
  },
})

Create a WAF ACL and WAF Rule

Next, we will create a WAF ACL and a WAF Rule allowing only requests from a specific location. We will use the AWS CDK to create the WAF ACL and WAF Rule.

const webACL = new wafv2.CfnWebACL(this, 'webACL', {
  name: 'webACL',
  description: 'This is WebACL for Auth APi Gateway',
  scope: 'REGIONAL', // or CLOUDFRONT for CloudFront
  defaultAction: { block: {} }, // default action is block all request
  visibilityConfig: {
    cloudWatchMetricsEnabled: true,
    metricName: 'webACL', // metric name for CloudWatch
    sampledRequestsEnabled: true,
  },

  rules: [
    {
      name: `demo-api-auth-gateway-geolocation-rule`,
      priority: 30,
      action: { allow: {} },
      visibilityConfig: {
        metricName: `demo-AuthAPIGeoLocation`,
        cloudWatchMetricsEnabled: true,
        sampledRequestsEnabled: false,
      },
      statement: {
        geoMatchStatement: {
          countryCodes: ['US', 'VN'], // allow US and VN IP. You can add more country codes
        },
      },
    },
  ],
})

This will create a WAF ACL with a single WAF Rule allowing only requests from a specific location(US and VN). We will then associate the WAF ACL with the API Gateway API.

// Web ACL Association
const webACLAssociation = new wafv2.CfnWebACLAssociation(this, 'webACLAssociation', {
  webAclArn: webACL.attrArn, // Web ACL ARN from above
  // For an Amazon API Gateway REST API: arn:aws:apigateway:region::/restapis/api-id/stages/stage-name
  resourceArn: Fn.join('', [
    'arn:aws:apigateway:', // service
    Stack.of(this).region, // region
    '::/restapis/', // resource type
    api.restApiId, // api id
    '/stages/', // resource type
    api.deploymentStage.stageName, // stage name
  ]),
})

// make sure api gateway is deployed before web ACL association
webACLAssociation.node.addDependency(api)

This will associate the WAF ACL with the API Gateway API. We will then test the API and see that the request is blocked. We will then remove the WAF rule and test the API again to see that the request is allowed.

The code for this demo is available on GitHub. You can deploy the demo by running the following commands.

git clone
cd apig-waf-cdk
yarn install
yarn deploy

Testing the API

After deploying the demo, we will test the API. We will use the following command to test the API.

curl -X GET https://<api-id>.execute-api.<region>.amazonaws.com/test

The response should be similar to the following.

{
  "message": "Hello from Lambda!"
}

Now, we will remove 'VN'(or your country code) from the WAF Rule and test the API again. We will use the following command to test the API.

curl -X GET https://<api-id>.execute-api.<region>.amazonaws.com/test

The response should be similar to the following.

{
  "message": "Forbidden"
}

The request is blocked because the request is from a location that is not allowed by the WAF Rule.

Conclusion

In this post, we have seen how to use Amazon API Gateway integration with AWS WAF by using AWS CDK. We have also seen how to test the API to see that the request is blocked.

The source code for this demo is available on GitHub.

That's all for now. Thanks for reading. If you have any questions or comments, please leave them below. I will try to answer them as soon as possible.

References


This content originally appeared on DEV Community 👩‍💻👨‍💻 and was authored by Binh Bui


Print Share Comment Cite Upload Translate Updates
APA

Binh Bui | Sciencx (2023-01-21T17:09:32+00:00) Amazon API Gateway integration with AWS WAF. Retrieved from https://www.scien.cx/2023/01/21/amazon-api-gateway-integration-with-aws-waf/

MLA
" » Amazon API Gateway integration with AWS WAF." Binh Bui | Sciencx - Saturday January 21, 2023, https://www.scien.cx/2023/01/21/amazon-api-gateway-integration-with-aws-waf/
HARVARD
Binh Bui | Sciencx Saturday January 21, 2023 » Amazon API Gateway integration with AWS WAF., viewed ,<https://www.scien.cx/2023/01/21/amazon-api-gateway-integration-with-aws-waf/>
VANCOUVER
Binh Bui | Sciencx - » Amazon API Gateway integration with AWS WAF. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2023/01/21/amazon-api-gateway-integration-with-aws-waf/
CHICAGO
" » Amazon API Gateway integration with AWS WAF." Binh Bui | Sciencx - Accessed . https://www.scien.cx/2023/01/21/amazon-api-gateway-integration-with-aws-waf/
IEEE
" » Amazon API Gateway integration with AWS WAF." Binh Bui | Sciencx [Online]. Available: https://www.scien.cx/2023/01/21/amazon-api-gateway-integration-with-aws-waf/. [Accessed: ]
rf:citation
» Amazon API Gateway integration with AWS WAF | Binh Bui | Sciencx | https://www.scien.cx/2023/01/21/amazon-api-gateway-integration-with-aws-waf/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.