aws-solutions-constructs.aws-wafwebacl-apigateway 1.139.0

CDK constructs for defining an AWS web WAF connected to Amazon API Gateway REST API.

aws-wafwebacl-apigateway module

---

All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.

---

Reference Documentation:	https://docs.aws.amazon.com/solutions/latest/constructs/

Language	Package
Python	aws_solutions_constructs.aws_wafwebacl_apigateway
Typescript	@aws-solutions-constructs/aws-wafwebacl-apigateway
Java	software.amazon.awsconstructs.services.wafwebaclapigateway

Overview

This AWS Solutions Construct implements an AWS WAF web ACL connected to Amazon API Gateway REST API.

Here is a minimal deployable pattern definition in Typescript:

import * as api from '@aws-cdk/aws-apigateway';
import * as lambda from "@aws-cdk/aws-lambda";
import { ApiGatewayToLambda } from '@aws-solutions-constructs/aws-apigateway-lambda';
import { WafwebaclToApiGatewayProps, WafwebaclToApiGateway } from "@aws-solutions-constructs/aws-wafwebacl-apigateway";

const apiGatewayToLambda = new ApiGatewayToLambda(this, 'ApiGatewayToLambdaPattern', {
    lambdaFunctionProps: {
        runtime: lambda.Runtime.NODEJS_14_X,
        handler: 'index.handler',
        code: lambda.Code.fromAsset(`lambda`)
    }
});

// This construct can only be attached to a configured API Gateway.
new WafwebaclToApiGateway(this, 'test-wafwebacl-apigateway', {
    existingApiGatewayInterface: apiGatewayToLambda.apiGateway
});

Initializer

new WafwebaclToApiGateway(scope: Construct, id: string, props: WafwebaclToApiGatewayProps);

Parameters

• scope Construct
• id string
• props WafwebaclToApiGatewayProps

Pattern Construct Props

Name	Type	Description
existingApiGatewayInterface	api.IRestApi	The existing API Gateway instance that will be protected with the WAF web ACL. Note that a WAF web ACL can only be added to a configured API Gateway, so this construct only accepts an existing IRestApi and does not accept apiGatewayProps.
existingWebaclObj?	waf.CfnWebACL	Existing instance of a WAF web ACL, an error will occur if this and props is set.
webaclProps?	waf.CfnWebACLProps	Optional user-provided props to override the default props for the AWS WAF web ACL. To use a different collection of managed rule sets, specify a new rules property. Use our wrapManagedRuleSet(managedGroupName: string, vendorName: string, priority: number) function from core to create an array entry from each desired managed rule set.

Pattern Properties

Name	Type	Description
webacl	waf.CfnWebACL	Returns an instance of the waf.CfnWebACL created by the construct.
apiGateway	api.IRestApi	Returns an instance of the API Gateway REST API created by the pattern.

Default settings

Out of the box implementation of the Construct without any override will set the following defaults:

AWS WAF

• Deploy a WAF web ACL with 7 AWS managed rule groups.

  • AWSManagedRulesBotControlRuleSet
  • AWSManagedRulesKnownBadInputsRuleSet
  • AWSManagedRulesCommonRuleSet
  • AWSManagedRulesAnonymousIpList
  • AWSManagedRulesAmazonIpReputationList
  • AWSManagedRulesAdminProtectionRuleSet
  • AWSManagedRulesSQLiRuleSet

  Note that the default rules can be replaced by specifying the rules property of CfnWebACLProps

• Send metrics to Amazon CloudWatch

Amazon API Gateway

• User provided API Gateway object is used as-is

Architecture

---

© Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.