AWS API Gateway with AWS WAF

8
votes

I want to use AWS Web Application Firewall service with AWS API Gateway. AWS WAF works only with AWS CloudFront distributions.

According to this post https://forums.aws.amazon.com/message.jspa?messageID=677382 API Gateway creates a CloudFront distribution behind the scenes. Although I don't see this distribution neither in the CloudFront console nor in the WAF console.

Is there any way to make use of the CloudFront distribution created by API Gateway for WAF?

3
amazon-web-servicesamazon-cloudfrontaws-api-gateway
You could put a cloudfront distro in front of your API Gateway and apply your WAF rules there: codeengine.com/articles/process-form-aws-api-gateway-lambdaDave Maple

3 Answers

3
votes

Unfortunately no, API Gateway does not provide access to the backing CloudFront distribution. To use WAF you would have to create a second distribution, which is inefficient but should functionally work.

1
votes

Alright guys, i had a similar issue, what is best you can do at this stage is ,

have api gateway terminate the SSL - make a call from api gateway to your alb , elb or nlb (is the best , if it fits your architecture) - have alb protected by the WAF with two ruleset 1. white list all the api gateways ip 2. have the http header accepted by api gateway only

this way you are securing your infra to its best.

if you have nlb, then you can have the private link to NLB straight, keep in mind NLB doesnt support path based routing, and cross zone application failover

I have asked AWS to raise a feature request for the same