Findings

API Gateway Stage missing WAF

Updated: June 19, 2025

findings cloud based findings api finding

Description

Severity: Low

The AWS API Gateway stage is currently deployed without an attached Web Application Firewall (WAF).

This leaves the API endpoint vulnerable to various web-based attacks such as SQL injection, cross-site scripting (XSS), and other common threats. Without AWS WAF in place, the API becomes more susceptible to attacks that could lead to data breaches, service disruptions, or the compromise of sensitive information. This weakens the API Gateway's overall security posture, increasing the risk of unauthorized access and malicious activities.

Example Attack

An attacker might attempt to exploit a vulnerability in the API Gateway by sending malicious input, such as an SQL injection payload, in a web request. Without a WAF, the malicious request could pass through to the backend system, potentially allowing the attacker to manipulate the database or gain unauthorized access to sensitive data. By attaching a WAF, malicious requests like these would be detected and blocked before they reach the API, preventing potential exploitation and ensuring that only legitimate traffic is processed.

Remediation

To secure the API Gateway stage, attach an AWS WAF to the stage. This will help to filter and block malicious web requests, protecting the API from common threats and reducing the risk of unauthorized access or exploitation.

Security Frameworks

NIST 800-53.r5

NIST-AC-4(21): Information Flow Enforcement | Physical or Logical Separation of Information Flows

Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].

NIST-CA-9(1): Internal System Connections | Compliance Checks

Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection.

NIST-CM-2: Baseline Configuration

  1. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
  2. Review and update the baseline configuration of the system:
  1. [Assignment: organization-defined frequency];
  2. When required due to [Assignment: organization-defined circumstances]; and
  3. When system components are installed or upgraded.

Need help?

Contact FireTail support

Previous (Findings - Cloud based findings)
API Gateway REST and WebSocket API execution logging should be enabled
Next (Findings - Cloud based findings)
AppSync field-level logging is not enabled