API Gateway Integrated With WAF What Is AWS API Gateway?: Step 1: Create A New API

The document discusses how to configure API Gateway integrated with WAF. It provides steps to create an API Gateway, add resources and methods, configure a custom domain, integrate backend services, and deploy the API. It also describes what AWS WAF is and how it can prevent common web attacks by creating rules and policies to block certain IP addresses and traffic.

Uploaded by

Pallavi Yadav

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

26 views

API Gateway Integrated With WAF What Is AWS API Gateway?: Step 1: Create A New API

Uploaded by

Pallavi Yadav

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

You are on page 1/ 8

API Gateway Integrated with WAF

What Is AWS API Gateway?

Amazon Web Services API Gateway is a managed service for publishing, maintaining,
securing, and monitoring APIs at scale. You can leverage the AWS management console to
create a front door for your applications to reach business logic, functionality, or data from
the back end. These include applications that run on Amazon Elastic Container Service (ECS),
Elastic Compute Cloud (EC2), or Elastic Beanstalk, as well as web applications and code
running on Lambda.

First understand the available types of API Gateways: Websocket, REST, and HTTP.

1. WebSocket APIs supports two-way communication between client apps and your backend.
The backend can send callback messages to connected clients.
2. REST APIs is the basic type supported by API Gateway. This is a feature-rich solution for
creating serverless REST APIs.
3. HTTP APIs is an API that uses Hypertext Transfer Protocol as the communication protocol
between the two systems. HTTP APIs expose endpoints as API gateways for HTTP
requests to have access to a server.

Step 1: Create a New API

1. Click the "Create API" button.
2. Click the "Build" button for the "REST API" option.

Step 2: Configure Your API

1. Enter a name for your API.
2. Leave the "Endpoint Type" as "Regional" unless you have specific requirements for using
a different endpoint type.
3. Click the "Create API" button.

pg. 1
Step 3 : Create Resources and Methods
1. Under "Resources," click "Create" to create a resource. Resources are like folders for
your API.
2. Enter a resource name and path (e.g., "/items").
3. Click "Create Resource".
4. With the resource selected, click "Create Method".
5. Choose the HTTP method you want to use (e.g., GET, POST, PUT, DELETE).
6. Configure your method, including integration type (e.g., Lambda function, HTTP
endpoint, etc).
7. Save your changes.

Step 4: Configure Custom Domain

If you want to use a custom domain for your API (e.g., api.example.com), you can configure
this in API Gateway.

pg. 2
Step 5: Configure Integration & Deploy Your API
1. Configure the integration by specifying the target resource or service.
2. In the API Gateway navigation pane, select your API.
3. Under "Stages," click "Create" to create a new stage (e.g., "prod" or "test").
4. Deploy your API to the stage.

What Is AWS WAF?

AWS Web Application Firewall (WAF) is a security tool that helps you to protect the
application against web attacks. WAF monitors and controls unusual bot traffic, and blocks
common attack patterns, such as SQL Injection or Cross-site scripting, etc. It also lets you
monitor the HTTP and HTTPS requests that are forwarded to an Amazon API Gateway API,
Amazon CloudFront, or an Application Load Balancer.
1. Amazon WAF allows you to control your content by using an IP address from where the
request originates.
2. Three things make Amazon WAF work – Access control lists (ACL), Rules, and Rule
Groups.
3. Amazon WAF manages Web ACL capacity units (WCU) for rules, rule groups, and web
ACLs.
4. Amazon WAF includes a full-featured API that you can use to automate the creation,
deployment, and maintenance of security rules.

pg. 3
Common Web Attacks-
WAF security can prevent many attacks, including:
1. Cross-site Scripting (XSS) — Attackers inject client-side scripts into web pages viewed by
other users.
2. SQL injection — Malicious code is inserted or injected into an web entry field that allows
attackers to compromise the application and underlying systems.
3. Cookie poisoning — Modification of a cookie to gain unauthorized information about the
user for purposes such as identity theft.
4. Layer 7 DoS — An HTTP flood attack that utilizes valid requests in typical URL data
retrievals.
5. Web scraping — Data scraping used for extracting data from websites.

How It Works – AWS Web Application Firewall protects the applications from malicious
attacks. The working of WAF in AWS mentioned below.
1. AWS Firewall Manage: It Manages multiple AWS Web Application Firewall Deployments
2. AWS WAF: Protect deployed applications from common web exploits.
3. Create a Policy: Now you can build your own rules using the visual rule builder.
4. Block Filter: Block filters protect against exploits and vulnerabilities attacks.
5. Monitor: Use Amazon CloudWatch for incoming traffic metrics & Amazon kinesis
firehose for request details, then tune rules based on metrics and log data.

Benefits of WAF –
1. Protection Against Common Web Attacks
2. Real-time Monitoring and Logging
3. Custom Rules and Policies
4. Bot Mitigation
5. Scalability
6. Web Application Performance Improvement
7. Reduced False Positives
8. Flexibility
Getting Started With AWS WAF-
WAF AWS monitors all the web incoming and outgoing requests that are forwarded to API
Gateway, Amazon CloudFront, and Application Load Balancer. We will see how to get started
with WAF and create web ACL in some steps.

pg. 4
How do I allow my IP address while blocking other IP addresses using AWS WAF?

First, create an IP set:

1. Open the AWS WAF console.
2. In the navigation pane, choose IP sets, and then choose Create IP set.
3. Enter an IP set name and Description - optional for the IP set. For
example: MyTrustedIPs.
4. For Region, choose the AWS Region where you want to store the IP set.
5. For IP version, choose the version that you want to use.
6. Review the settings for the IP set. If the IP set matches your specifications,
choose Create IP set.

Then, Create web ACL:

1. First, sign-up for an AWS account, then go to AWS Console and search for Web
Application Firewall. You will land on the WAF home page, and choose to Create Web
ACL.

2. Give a Name: Type the name you want to use to identify this web ACL. After that,
enter Description if you want (optional) and then hit Next. For example: new_web_acl

pg. 5
Now select the form to Add AWS resources.
Select Amazon API Gateway and select the checkbox next to your API and select Add

3. Add an AWS Managed Rules rule group: In the next step, you need to add rules
and rule groups. Click on Add my own rules and rule groups.

4. For Name, enter a name to identify this rule. For example: Block-Other-IPs.
5. For Type, choose Regular rule.
6. For If a request, choose doesn't match the statement (NOT).
7. On Statement, for Inspect, choose Originates from IP address in.
8. For IP Set, choose the IP Set you created earlier. For example: MyTrustedIPs.
9. For IP address to use as the originating address, choose Source IP address.

pg. 6
10. For Action, choose Block.
11. Choose Add rule.
12. Choose Save.

How To Check API Gateway Integrated with WAF?

1. Open Stages of the API you want to protect and click the [Settings] tab.
You will see a Web Application Firewall (WAF) menu, so choose the Web ACL
(AWS WAF) you want to apply and save the changes.

How You Can Test Your API Gateway With WAF Protection:
To test WAF rules and configurations with an Amazon API Gateway REST API, you would
typically follow these steps:
1. Go to chrome google

pg. 7
1. Copy the DNS name under Description and paste it in your desired browser.
2. Example: myALB-212104715.ap-southeast-1.elb.amazonaws.com

pg. 8