Web Application Firewall (WAF)
AppSync supports WAF. WAF is an Application Firewall that helps you protect your API against common web exploits.
The AppSync integration comes with some handy pre-defined rules that you can enable in just a few lines of code.
You can configure WAF rules under the appSync.waf attribute.
Quick start
You can define a collection of rules for your web ACL and associate it:
appSync:
name: my-api
waf:
enabled: true
defaultAction: 'Allow'
rules:
- throttle
- disableIntrospection
Or directly associate an existing web ACL:
appSync:
name: my-api
waf:
enabled: true
arn: 'arn:aws:wafv2:us-east-1:123456789012:regional/webacl/my-Waf/d7b694d2-4f7d-4dd6-a9a9-843dd1931330'
Configuration
enabled: Boolean. Enable or disable WAF. Defaults totruewhenappSync.wafis defined.arn: Optional. The WAF's ARN to associate with your AppSync resource.name: Optional. The name of this WAF instance. Defaults to the name of your API.defaultAction: Optional. The default action if a request does not match a rule.AlloworBlock. Defaults toAllow.description: Optional. A description for this WAF instance.visibilityConfig: Optional. A visibility config for this WAFname: Metric namecloudWatchMetricsEnabled: A boolean indicating whether the associated resource sends metrics to Amazon CloudWatchsampledRequestsEnabled: A boolean indicating whether AWS WAF should store a sampling of the web requests that match the rule
rules: Required. An array of rules. Optional whenarnis present
Rules
Configuration
Common configuration to all rules:
name: The name of the ruleaction: How this rule should handle the incoming request when matching the rule.AlloworDeny. Defaults toAllow.priority: The priority of this rule. See Rules PriorityvisibilityConfig: The visibility config for this rule.
Throttling
Throttling will disallow requests coming from the same ip address when a limit is reached within a 5-minutes period. It corresponds to a rules with a RateBasedStatement.
Examples:
waf:
enabled: true
rules:
- throttle # limit to 100 requests per 5 minutes period
- throttle: 200 # limit to 200 requests per 5 minutes period
- throttle:
limit: 200
priority: 10
aggregateKeyType: FORWARDED_IP
forwardedIPConfig:
headerName: 'X-Forwarded-For'
fallbackBehavior: 'MATCH'
Configuration
See the CloudFormation documentation
aggregateKeyType:IPorFORWARDED_IPlimit: The limit of requests in a 5-minutes window for the same IP address.forwardedIPConfig: forwardedIPConfigscopeDownStatement: WebACL Statement
Disable Introspection
Sometimes, you want to disable introspection to disallow untrusted consumers to discover the structure of your API.
waf:
enabled: true
rules:
- disableIntrospection # disables introspection for everyone
- disableIntrospection: # using custom configuration
name: Disable introspection
priority: 200
Custom rules
You can also specify custom rules. For more info on how to define a rule, see the Cfn documentation
Example:
waf:
enabled: true
defaultAction: Block
rules:
# Only allow US users
- action: Allow
name: UsOnly
statement:
GeoMatchStatement:
CountryCodes:
- US
waf:
enabled: true
defaultAction: Block
rules:
# using ManagedRuleGroup
- name: 'AWSManagedRulesCommonRuleSet'
priority: 20
overrideAction:
None: {}
statement:
ManagedRuleGroupStatement:
VendorName: 'AWS'
Name: 'AWSManagedRulesCommonRuleSet'
Per API Key rules
In some cases, you might want to enable a rule for a given API key only. You can specify wafRules under the appSync.apiKeys attribute. The rules will apply only to that API key.
apiKeys:
- name: MyApiKey
expiresAfter: 365d
wafRules:
- throttle # throttles this API key
- disableIntrospection # disables introspection for this API key
Adding a rule to an API key without any statement will add a match-all rule for that key (all requests will match that rule). This is useful for example to exclude API keys from global rules. In that case, you need to make sure to attribute a higher priority to that rule.
Example:
- Block all requests by default, except in the US.
- The
WorldWideApiKeyAPI key should be excluded from that rule.
appSync:
waf:
enabled: true
defaultAction: Block # Block all by default
rules:
# allow US requests
- action: Allow
name: UsOnly
priority: 5
statement:
geoMatchStatement:
countryCodes:
- US
apiKeys:
- name: Key1 # no rule is set, the global rule applies (US only)
- name: Key1 # no rule is set, the global rule applies (US only)
- name: WorldWideApiKey
wafRules:
- name: WorldWideApiKeyRule
action: Allow
priority: 1 # Since priority is higher than 5, all requests will be Allowed
Rules priority
The priorities don't need to be consecutive, but they must all be different.
Setting a priority to the rules is not required, but recommended. If you don't set priority, it will be automatically attributed and sequentially incremented according to the following rules:
First the global rules (under appSync.waf.rules), in the order that they are defined, then the API key rules, in order of the API keys and their rules.
Auto-generated priorities start at 100. This gives you som room (0-99) to add other rules that should get a higher priority, if you need to.
For more info about how rules are executed, pease refer to the documentation
Example:
appSync:
waf:
enabled: true
rules:
- name: Rule1
# (no-set) Priority = 100
- name: Rule2
priority: 5 # Priority = 5
- name: Rule3
# (no-set) Priority = 101
apiKeys:
- name: Key1
wafRules:
- name: Rule4
# (no-set) Priority = 102
- name: Rule5
# (no-set) Priority = 103
- name: Key
wafRules:
- name: Rule6
priority: 1 # Priority = 1
- name: Rule7
# (no-set) Priority = 104