v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 4 API Gateway should be associated with an AWS WAF web ACL

Description

This control checks whether an API Gateway stage uses an AWS WAF web access control list (ACL). This control fails if an AWS WAF web ACL is not attached to a REST API Gateway stage.

AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It enables you to configure an ACL, which is a set of rules that allow, block, or count web requests based on customizable web security rules and conditions that you define. Ensure that your API Gateway stage is associated with an AWS WAF web ACL to help protect it from malicious attacks.

Remediation

For information on how to use the API Gateway console to associate an AWS WAF Regional web ACL with an existing API Gateway API stage, see Using AWS WAF to protect your APIs.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_apigateway_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_apigateway_4 --share

SQL

This control uses a named query:

apigateway_stage_use_waf_web_acl

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = protective_services
foundational_security_item_id = apigateway_4
plugin = aws
service = AWS/APIGateway