chalice icon indicating copy to clipboard operation
chalice copied to clipboard

Published 20 hours ago verified publisher icon aws

Add config option to attach a WAF ACL to API Gateway stage(s)

Open jrbeilke opened this issue 3 years ago • 3 comments

In order to meet the AWS Foundational Security Best Practices we need to have a WAF ACL on our API Gateway stages, but Chalice does not currently support this AFAICT.

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-apigateway-4

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL
Category: Protect > Protective services

Severity: Medium

Resource type: AWS::ApiGateway::Stage

AWS Configrule: api_gw_associated_with_waf

Parameters: None

This control checks whether an API Gateway stage uses an AWS WAF web access control list (ACL). This control fails if an AWS WAF web ACL is not attached to a REST API Gateway stage.

Perhaps a new config value could be added (ie. waf_acl_id) which could be used to associate a WAF ACL with the API Gateway stage(s) in Chalice.

jrbeilke avatar Oct 11 '21 16:10 jrbeilke

Took a shot at trying to implement a new waf_acl_arn config option, but ran into some complications in trying to handle the different Chalice deployment methods and lack of support in Cloudformation and SAM for accessing the ARN of an API Gateway Stage. ie. https://github.com/aws/serverless-application-model/issues/792

This may need to wait for Chalice v2 deployer (ie. #1833) or later once Cloudformation and SAM have better support for WAF ACLs with API Gateway Stages

In the meantime I opened up a separate issue (#1838) to expose the ARN of the API Gateway Stage when using Terraform, which would allow us to implement a workaround for now until Chalice is able to handle WAF ACL associations with API Gateway Stages.

jrbeilke avatar Nov 16 '21 21:11 jrbeilke

Came up with a workaround for now wrapping the chalice.tf.json with some additional Terraform that can reference the APIGW resources from Chalice ie.

resource "aws_wafv2_web_acl_association" "api" {
  resource_arn = "${aws_api_gateway_rest_api.rest_api.arn}/stages/${aws_api_gateway_deployment.rest_api.stage_name}"
  web_acl_arn  = aws_wafv2_web_acl.common.arn
}

jrbeilke avatar Jan 13 '22 15:01 jrbeilke

WAF support on the API Gateway stage would be needed to pass a Well Architected review.

BigDataDaddy avatar Apr 07 '22 21:04 BigDataDaddy