Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add config option to attach a WAF ACL to API Gateway stage(s) #1816

Open
jrbeilke opened this issue Oct 11, 2021 · 3 comments
Open

Add config option to attach a WAF ACL to API Gateway stage(s) #1816

jrbeilke opened this issue Oct 11, 2021 · 3 comments

Comments

@jrbeilke
Copy link
Contributor

In order to meet the AWS Foundational Security Best Practices we need to have a WAF ACL on our API Gateway stages, but Chalice does not currently support this AFAICT.

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-apigateway-4

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL
Category: Protect > Protective services

Severity: Medium

Resource type: AWS::ApiGateway::Stage

AWS Configrule: api_gw_associated_with_waf

Parameters: None

This control checks whether an API Gateway stage uses an AWS WAF web access control list (ACL). This control fails if an AWS WAF web ACL is not attached to a REST API Gateway stage.

Perhaps a new config value could be added (ie. waf_acl_id) which could be used to associate a WAF ACL with the API Gateway stage(s) in Chalice.
@jrbeilke jrbeilke mentioned this issue Nov 16, 2021
Closed
@jrbeilke
Copy link
Contributor Author

Took a shot at trying to implement a new waf_acl_arn config option, but ran into some complications in trying to handle the different Chalice deployment methods and lack of support in Cloudformation and SAM for accessing the ARN of an API Gateway Stage.
ie. aws/serverless-application-model#792

This may need to wait for Chalice v2 deployer (ie. #1833) or later once Cloudformation and SAM have better support for WAF ACLs with API Gateway Stages

In the meantime I opened up a separate issue (#1838) to expose the ARN of the API Gateway Stage when using Terraform, which would allow us to implement a workaround for now until Chalice is able to handle WAF ACL associations with API Gateway Stages.

@jrbeilke
Copy link
Contributor Author

Came up with a workaround for now wrapping the chalice.tf.json with some additional Terraform that can reference the APIGW resources from Chalice ie.

resource "aws_wafv2_web_acl_association" "api" {
  resource_arn = "${aws_api_gateway_rest_api.rest_api.arn}/stages/${aws_api_gateway_deployment.rest_api.stage_name}"
  web_acl_arn  = aws_wafv2_web_acl.common.arn
}

@BigDataDaddy
Copy link

WAF support on the API Gateway stage would be needed to pass a Well Architected review.

hannes-ucsc added a commit to DataBiosphere/azul that referenced this issue Feb 9, 2023
@hannes-ucsc
Remove redundant workaround for Chalice issue (#2992, aws/chalice#1816)
f422fad 
#2992 made the stage an explicit resource, so that we can now refer to its `.arn` attribute.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jrbeilke @BigDataDaddy