Ensure AWS WAF ACL is associated with AWS API Gateway Stage

LOW

Description

AWS WAF ACL should be associated with AWS API Gateway Stage to protect web applications and API's from attacks.

Remediation

In AWS Console -

Sign in to the AWS Console and open the API Gateway console.
In the APIs navigation pane, select the API, and then select Stages.
Select a stage.
In the Stage Editor pane, select the Settings tab.
In the AWS WAF web ACL dropdown list, choose the Regional web ACL that you want to associate with this stage.
Select Save Changes.

In Terraform -

For each aws_api_gateway_stage, create an aws_wafregional_web_acl_association resource and link it using the resource_arn field.
This link will use web_acl_id to link to an aws_wafregional_web_acl resource; create this resource as needed.

References:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl_association

Policy Details

Rule Reference ID: AC_AWS_0015

CSP: AWS

Remediation Available: No

Domain: Logging and Monitoring

Resource: aws_api_gateway_stage

Resource Category: Virtual Network

Resource Type: API Gateway

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF