Ensure AWS AppSync is protected by WAF

Error: AWS AppSync is not protected by WAF

Bridgecrew Policy ID: BC_AWS_GENERAL_139
Checkov Check ID: CKV_AWS_33
Severity: LOW

AWS AppSync is not protected by WAF

Description

Ensuring that your AWS AppSync API is protected by a Web Application Firewall (WAF) can help to improve the security of your API by protecting against common web vulnerabilities such as SQL injection attacks and cross-site scripting (XSS) attacks by inspecting incoming requests and blocking those that contain malicious payloads. It can also help to prevent DDoS attacks by allowing you to set rate-based rules that limit the number of requests that an IP address can send to your API within a specified time period.

Fix - Runtime

Fix - Buildtime

Terraform

resource "aws_appsync_graphql_api" "pass" {
  authentication_type = "API_KEY"
  name                = "example"
}

resource "aws_wafv2_web_acl_association" "pass" {
  resource_arn = aws_appsync_graphql_api.pass.arn
  web_acl_arn  = aws_wafv2_web_acl.example.arn
}