Table of contents
Topics on this page
API Gateway Protection
Route your APIs to your Network Security virtual appliances. This allows you to monitor and filter HTTP and HTTPS requests that are forwarded to your API and adds protection against common web attacks.
Use geolocation filtering to block requests based on an IP address or range of IP addresses originating from a specific country or region. Network Security blocks requests containing malicious SQL code or scripts and also blocks bad bots, content scrapers, and attacks from specific user-agents.
Rule ID: NS-API-001
Risk level: High (not acceptable risk)
Ensure that the Amazon API Gateway is routed to the Network Security virtual appliance to protect your APIs against common web exploits such as SQL injection attacks, cross-site scripting (XSS) attacks and Cross-Site Request Forgery (CSRF) attacks, which could affect API availability and performance, compromise API data security, or consume excessive resources.
This can help you with the following compliance standards:
NIST 800-53 (Rev. 4)
This rule can help you form your AWS Well-Architected Framework for seamless integration of AWS, Network Security, and Cloud One - Conformity.

Audit API protection

To determine if your cloud APIs are protected, perform the following actions.

  1. From the AWS Management Console, navigate to API Gateway.
  2. Select the API Gateway that you want to audit.
  3. Ensure that the targets use HTTP Proxies, and make note of the target destinations.
  4. For each unique destination, search in AWS EC2 Network Interfaces to find where the requests are being proxied to.
  5. Make note of the VPCs that are associated with the Network Interfaces.
  6. From the Network Security management interface, click the Assets tab to open the Assets page.
  7. Refresh your assets, and look for the VPCs that were associated with your Network Interfaces.
  8. If these VPCs have a Protected status, you have successfully protected your API Gateway.

If the VPCs are not protected, follow the steps below to enable protection.

Enable API protection

To protect your cloud APIs, perform the following actions:

  1. From the AWS Management Console, navigate to API Gateway.
  2. Select the API Gateway that you want to audit.
  3. Ensure that the targets use HTTP Proxies, and make note of the target destinations.
  4. For each unique destination, search in AWS EC2 Network Interfaces to find where the requests are being proxied to.
  5. Make note of the VPCs that are associated with the Network Interfaces.
  6. From the Network Security management interface, click the Assets tab to open the Assets page.
  7. Refresh your assets, and look for the VPCs that were associated with your Network Interfaces.
  8. Click Deploy protection next to the VPCs to begin the deployment wizard.
  9. Complete the deployment wizard, then refresh the Assets page to verify the VPC is now Protected.