Skip to main content

How to Find AWS API Gateways Without WAF ACLs

Access control lists (ACLs) reduce the attack surface and minimize the risk of service abuse for internet-reachable services.

info

This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity medium.

Prerequisites​

This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.

Directions​

  1. Execute the following search command in Fix Inventory Shell:

    > search is(aws_apigateway_stage) and stage_web_acl_arn==null
    ​kind=aws_apigateway_stage, ..., region=fixinventory-poweruser
    ​kind=aws_apigateway_stage, ..., account=poweruser-team
  2. Pipe the search command into the dump command:

    > search is(aws_apigateway_stage) and stage_web_acl_arn==null | dump
    ​reported:
    ​ id: /aws/apigateway/123
    ​ name: some-name
    ​ ctime: '2022-12-05T22:53:14Z'
    ​ kind: aws_apigateway_stage
    ​ age: 2mo28d

    The command output will list the details of all non-compliant aws_apigateway_stage resources.

Remediation​

Use AWS WAF to protect your API Gateway API from common web exploits. SQL injection and cross-site scripting (XSS) attacks can affect API availability and performance, compromise security, or consume excessive resources.

note

Please refer to the AWS API Gateway documentation for details.

Further Reading​