search

aws / chalice

Python Serverless Microframework for AWS
Apache License 2.0
10.6k stars 1.01k forks source link

Add config option to attach a WAF ACL to API Gateway stage(s) #1816

Open jrbeilke opened 2 years ago

jrbeilke commented 2 years ago

In order to meet the AWS Foundational Security Best Practices we need to have a WAF ACL on our API Gateway stages, but Chalice does not currently support this AFAICT.

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-apigateway-4

[APIGateway.4] API Gateway should be associated with an AWS WAF web ACL
Category: Protect > Protective services

Severity: Medium

Resource type: AWS::ApiGateway::Stage

AWS Configrule: api_gw_associated_with_waf

Parameters: None

This control checks whether an API Gateway stage uses an AWS WAF web access control list (ACL). This control fails if an AWS WAF web ACL is not attached to a REST API Gateway stage.

Perhaps a new config value could be added (ie. waf_acl_id) which could be used to associate a WAF ACL with the API Gateway stage(s) in Chalice.

jrbeilke commented 2 years ago

Took a shot at trying to implement a new waf_acl_arn config option, but ran into some complications in trying to handle the different Chalice deployment methods and lack of support in Cloudformation and SAM for accessing the ARN of an API Gateway Stage. ie. https://github.com/aws/serverless-application-model/issues/792

This may need to wait for Chalice v2 deployer (ie. #1833) or later once Cloudformation and SAM have better support for WAF ACLs with API Gateway Stages

In the meantime I opened up a separate issue (#1838) to expose the ARN of the API Gateway Stage when using Terraform, which would allow us to implement a workaround for now until Chalice is able to handle WAF ACL associations with API Gateway Stages.

jrbeilke commented 2 years ago

Came up with a workaround for now wrapping the chalice.tf.json with some additional Terraform that can reference the APIGW resources from Chalice ie.

resource "aws_wafv2_web_acl_association" "api" {
  resource_arn = "${aws_api_gateway_rest_api.rest_api.arn}/stages/${aws_api_gateway_deployment.rest_api.stage_name}"
  web_acl_arn  = aws_wafv2_web_acl.common.arn
}
BigDataDaddy commented 2 years ago

WAF support on the API Gateway stage would be needed to pass a Well Architected review.