Connecting AWS WAF to API Gateway via Serverless Framework
In this article, we will take a look at the use case of Connecting AWS WAF to AWS API Gateway via Serverless Framework. AWS WAF is a great service for making application security stronger.
In a previous article: Serverless Security: Preventing HTTP Flood DDoS Attack we covered how AWS WAF helps to prevent HTTP Flood DDoS attacks.
What is AWS WAF?
AWS WAF is a web application firewall that helps protect your web applications / APIs against common web exploits and bots. Attacks may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that control bot traffic and block common attack patterns.
AWS WAF is possible to deploy on:
- Amazon CloudFront
- Application Load Balancer
- Amazon API Gateway
- AWS AppSync
Protect API Gateway from DDoS with AWS WAF via Serverless Framework
Create Serverless Framework Project
Below is what your final project will look like by following each section of this article. I’m sharing it now so you can check what I have versus what you have as the article continues.
Serverless Framework IaC - Associate AWS WAF to AWS API Gateway
Serverless Framework plugin Serverless Associate WAF is used to Associate a regional AWS WAF with the AWS API Gateway used by your Serverless stack.
Below, the Serverless Framework IaC code snippet will create these resources:
- 1 AWS Lambda Function
- 1 API of REST type in AWS API Gateway
- Associate regional AWS WAF with API Gateway for the current stack (which we will create later step in this article)
The above IaC snippet associates WAF to API Gateway in the current stack. Next, we will create that WAF using the CloudFormation IaC code found below; which we are importing into this file in the last line.
AWS CloudFormation - Create WAF Regional Web ACL with Rate-Based Rule
The above AWS CloudFormation IaC code helps you create AWS WAF Regional Web ACL with a Rate-Based rule to prevent HTTP Flood DDoS attacks. After creating Regional AWS WAF, we can easily associate the same with stack’s AWS API Gateway (as explained earlier in this article) using the Serverless Framework plugin ‘serverless-associate-waf’.
Serverless Framework Infrastructure as Code allows us to associate AWS WAF with API Gateway within the serverless stack using the plugin ecosystem. AWS WAF along with API Gateway make APIs more secure against DDoS attacks.