For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-api-gateway-without-waf.md. A documentation index is available at /llms.txt.

API Gateway without WAF

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-api-gateway-without-waf

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Networking and Firewall

Learn More

Description

API Gateway stages must be protected by a web application firewall (WAF) to block common application-layer attacks such as SQL injection and cross-site scripting, and to reduce the risk of malicious or abusive traffic causing data exposure or service disruption.

Verify that each AWS::ApiGateway::Stage resource (its StageName) has a corresponding AWS::WAFv2::WebACLAssociation resource. The association must set Properties.ResourceArn to the API Gateway stage ARN (format: arn:aws:apigateway:{region}::/restapis/{restapi-id}/stages/{stageName}) and must reference a valid WAF via Properties.WebACLArn. Resources missing the AWS::WAFv2::WebACLAssociation, or whose ResourceArn does not reference the stage’s StageName, will be flagged.

Secure CloudFormation example:

MyWebACL:
  Type: AWS::WAFv2::WebACL
  Properties:
    Name: my-webacl
    Scope: REGIONAL
    DefaultAction:
      Allow: {}

MyApi:
  Type: AWS::ApiGateway::RestApi
  Properties:
    Name: my-api

MyStage:
  Type: AWS::ApiGateway::Stage
  Properties:
    StageName: prod
    RestApiId: !Ref MyApi

MyWebACLAssociation:
  Type: AWS::WAFv2::WebACLAssociation
  Properties:
    ResourceArn: !Sub "arn:aws:apigateway:${AWS::Region}::/restapis/${MyApi}/stages/prod"
    WebACLArn: !Ref MyWebACL

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: "BatchJobDefinition"
Resources:
  Production:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: Production
      Description: Prod Stage
      RestApiId: !Ref MyRestApi
      DeploymentId: !Ref TestDeployment
      DocumentationVersion: !Ref MyDocumentationVersion
      ClientCertificateId: !Ref ClientCertificate
      Variables:
        Stack: Production
      MethodSettings:
        - ResourcePath: /
          HttpMethod: GET
          MetricsEnabled: 'true'
          DataTraceEnabled: 'false'
        - ResourcePath: /stack
          HttpMethod: POST
          MetricsEnabled: 'true'
          DataTraceEnabled: 'false'
          ThrottlingBurstLimit: '999'
        - ResourcePath: /stack
          HttpMethod: GET
          MetricsEnabled: 'true'
          DataTraceEnabled: 'false'
          ThrottlingBurstLimit: '555'
  SampleWebACLAssociation:
    Type: 'AWS::WAFv2::WebACLAssociation'
    Properties:
      WebACLArn: ExampleARNForWebACL
      ResourceArn: arn:aws:apigateway:region::/restapis/api-id/stages/Production

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "Production": {
      "Properties": {
        "ClientCertificateId": "ClientCertificate",
        "DeploymentId": "TestDeployment",
        "Description": "Prod Stage",
        "DocumentationVersion": "MyDocumentationVersion",
        "MethodSettings": [
          {
            "DataTraceEnabled": "false",
            "HttpMethod": "GET",
            "MetricsEnabled": "true",
            "ResourcePath": "/"
          },
          {
            "DataTraceEnabled": "false",
            "HttpMethod": "POST",
            "MetricsEnabled": "true",
            "ResourcePath": "/stack",
            "ThrottlingBurstLimit": "999"
          },
          {
            "DataTraceEnabled": "false",
            "HttpMethod": "GET",
            "MetricsEnabled": "true",
            "ResourcePath": "/stack",
            "ThrottlingBurstLimit": "555"
          }
        ],
        "RestApiId": "MyRestApi",
        "StageName": "Production",
        "Variables": {
          "Stack": "Production"
        }
      },
      "Type": "AWS::ApiGateway::Stage"
    },
    "SampleWebACLAssociation": {
      "Properties": {
        "ResourceArn": "arn:aws:apigateway:region::/restapis/api-id/stages/Production",
        "WebACLArn": "ExampleARNForWebACL"
      },
      "Type": "AWS::WAFv2::WebACLAssociation"
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: "BatchJobDefinition"
Resources:
  Prod:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      RestApiId: !Ref MyRestApi
      DeploymentId: !Ref TestDeployment
      DocumentationVersion: !Ref MyDocumentationVersion
      ClientCertificateId: !Ref ClientCertificate
      Variables:
        Stack: Prod
      MethodSettings:
        - ResourcePath: /
          HttpMethod: GET
          MetricsEnabled: 'true'
          DataTraceEnabled: 'false'
        - ResourcePath: /stack
          HttpMethod: POST
          MetricsEnabled: 'true'
          DataTraceEnabled: 'false'
          ThrottlingBurstLimit: '999'
        - ResourcePath: /stack
          HttpMethod: GET
          MetricsEnabled: 'true'
          DataTraceEnabled: 'false'
          ThrottlingBurstLimit: '555'
  SampleWebACLAssociation:
    Type: 'AWS::WAFv2::WebACLAssociation'
    Properties:
      WebACLArn: ExampleARNForWebACL
      ResourceArn: arn:aws:apigateway:region::/restapis/api-id/stages/stage

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "Prod": {
      "Properties": {
        "ClientCertificateId": "ClientCertificate",
        "DeploymentId": "TestDeployment",
        "Description": "Prod Stage",
        "DocumentationVersion": "MyDocumentationVersion",
        "MethodSettings": [
          {
            "DataTraceEnabled": "false",
            "HttpMethod": "GET",
            "MetricsEnabled": "true",
            "ResourcePath": "/"
          },
          {
            "DataTraceEnabled": "false",
            "HttpMethod": "POST",
            "MetricsEnabled": "true",
            "ResourcePath": "/stack",
            "ThrottlingBurstLimit": "999"
          },
          {
            "DataTraceEnabled": "false",
            "HttpMethod": "GET",
            "MetricsEnabled": "true",
            "ResourcePath": "/stack",
            "ThrottlingBurstLimit": "555"
          }
        ],
        "RestApiId": "MyRestApi",
        "StageName": "Prod",
        "Variables": {
          "Stack": "Prod"
        }
      },
      "Type": "AWS::ApiGateway::Stage"
    },
    "SampleWebACLAssociation": {
      "Properties": {
        "ResourceArn": "arn:aws:apigateway:region::/restapis/api-id/stages/stage",
        "WebACLArn": "ExampleARNForWebACL"
      },
      "Type": "AWS::WAFv2::WebACLAssociation"
    }
  }
}