Rule: API Gateway stage should be associated with WAF
This rule ensures that API Gateway stage is associated with WAF for enhanced security measures.
| Rule | API Gateway stage should be associated with waf |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Medium |
Rule Description
The API Gateway stage should be associated with Web Application Firewall (WAF) for FedRAMP Low Revision 4 compliance. This ensures that the API Gateway is protected against common web vulnerabilities and unauthorized access attempts.
Troubleshooting Steps
If the API Gateway stage is not associated with WAF for FedRAMP Low Revision 4 compliance, follow these troubleshooting steps:
- 1.
Verify WAF Configuration: Check if the WAF is properly configured and associated with the API Gateway stage. Ensure that the WAF ruleset is aligned with the security requirements of FedRAMP Low Revision 4.
- 2.
Review AWS WAF Settings: Confirm that you have correctly configured the AWS WAF settings for the API Gateway stage. Validate that the necessary rules and conditions are in place to address common web vulnerabilities and unauthorized access attempts.
- 3.
Check WAF Logs: Review the logs generated by the WAF to identify any potential security threats or anomalies. Analyze the logs to understand if any malicious traffic is bypassing the WAF or if additional rules need to be added.
- 4.
Monitor API Gateway Metrics: Use Amazon CloudWatch or any other monitoring service to regularly track and monitor the API Gateway metrics. Look for any unusual or unexpected spikes in traffic or security-related events that may indicate a potential security breach.
- 5.
Perform Security Testing: Conduct regular security testing on the API Gateway stage to identify and mitigate any vulnerabilities. Use tools like OWASP ZAP or Burp Suite to simulate attacks and identify potential weaknesses.
Necessary Codes
No specific code snippets are required for this rule.
Step-by-Step Guide for Remediation
Follow these steps to remediate the API Gateway stage and associate it with WAF for FedRAMP Low Revision 4 compliance:
- 1.Log in to the AWS Management Console.
- 2.Navigate to the API Gateway service.
- 3.Select the API Gateway stage that needs to be associated with WAF.
- 4.Click on the "Integration Request" tab.
- 5.Scroll down to the "Security" section.
- 6.Click on the "Add WAF Filter" button.
- 7.Select the appropriate WAF WebACL that complies with FedRAMP Low Revision 4.
- 8.Save the changes.
- 9.Test the API Gateway stage to ensure it is now protected by the WAF.
- 10.Monitor the WAF logs and API Gateway metrics regularly for any security-related events or anomalies.
- 11.Update the associated documentation or security controls to reflect the implementation of WAF for FedRAMP Low Revision 4 compliance.
Note: It is recommended to consult the AWS WAF documentation and consider working with a qualified security professional to ensure proper configuration and compliance with specific regulatory requirements.