Rule: API Gateway Stage Should Be Associated with WAF
This rule ensures that API Gateway stage is associated with a Web Application Firewall (WAF) for enhanced security.
| Rule | API Gateway stage should be associated with waf |
| Framework | RBI Cyber Security Framework |
| Severity | ✔ Medium |
Rule/Policy: API Gateway stage should be associated with WAF for RBI Cyber Security Framework
Description:
According to the RBI (Reserve Bank of India) Cyber Security Framework, it is recommended to associate the API Gateway stage with a Web Application Firewall (WAF) for enhanced security.
The purpose of this rule is to ensure that the API Gateway stages have the necessary protection against common web security threats, such as SQL injection, cross-site scripting, and other malicious attacks, in line with the RBI's security guidelines.
Troubleshooting Steps:
If you encounter any issues while implementing this rule, follow the troubleshooting steps below:
- 1.
Verify WAF Configuration: Double-check the configuration of your WAF to ensure it is properly set up and functioning correctly.
- 2.
Check API Gateway Stage: Verify that the correct API Gateway stage is associated with the WAF.
- 3.
Test API Endpoint: Test one or more API endpoints associated with the stage to determine if the WAF is properly protecting against common web security threats.
- 4.
Monitor Logs: Regularly monitor the API Gateway and WAF logs for any security-related incidents or anomalies.
Necessary Codes:
If you are using a cloud service provider, such as AWS, you may need to use the following codes to associate the API Gateway stage with a WAF:
# 1. Create a WebACL aws waf-regional create-web-acl --name MyWebACL --metric-name MyWebACLMetric # 2. Create WAF Rules aws waf-regional create-rule --name MyRule --metric-name MyRuleMetric --metric-name MyWebACLMetric --statements file://rule.json # 3. Associate WAF with the API Gateway Stage aws apigateway update-stage --rest-api-id MyRestApi --stage-name MyStage --patch-operations op='replace',path='/accessLogSettings/destinationArn',value='AWSWAF-WebACLArn'
Please note that the above code snippet is just an example for AWS, and the exact commands may vary depending on the cloud service provider and WAF solution you are using.
Step-by-step Guide for Remediation:
To remediate the rule violation and associate the API Gateway stage with a WAF, follow the step-by-step guide below:
- 1.
Determine the appropriate WAF solution: Choose a WAF solution that aligns with the RBI Cyber Security Framework guidelines and fulfills your organization's security requirements.
- 2.
Provision the WAF: Set up and configure the chosen WAF solution in your environment following the vendor's documentation and best practices.
- 3.
Create and configure a WebACL: Use the provided WAF solution to create a WebACL (Web Application Firewall Access Control List) and configure it with appropriate security policies, rules, and conditions based on the RBI Cyber Security Framework guidelines.
- 4.
Associate the WAF with the API Gateway stage: Use the appropriate command or configuration method specific to your cloud service provider to associate the API Gateway stage with the created WebACL or WAF solution.
- 5.
Test the protection: Validate that the WAF is properly protecting the API Gateway stage against common web security threats by performing security testing and monitoring the WAF logs for any identified threats or vulnerabilities.
- 6.
Regularly review and update: Continuously monitor the effectiveness and performance of the associated WAF solution and update the security policies and rules, if required, keeping in context the RBI Cyber Security Framework guidelines.
By following this step-by-step guide, you can ensure the integration of WAF with API Gateway stages as per the RBI Cyber Security Framework recommendations, enhancing the security posture of your API infrastructure.