Findings

API Gateway Stage missing WAF

Updated: June 19, 2025

findings cloud based findings api finding

Description

The AWS API Gateway stage is missing a WAF implementation.

Remediation

Use the API Gateway console to associate an AWS WAF Regional web ACL with an existing API Gateway API stage.

Security Frameworks

NIST 800-53.r5

NIST-AC-4(21): Information Flow Enforcement | Physical or Logical Separation of Information Flows

Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].

NIST-CA-9(1): Internal System Connections | Compliance Checks

Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection.

NIST-CM-2: Baseline Configuration

  1. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
  2. Review and update the baseline configuration of the system:
  1. [Assignment: organization-defined frequency];
  2. When required due to [Assignment: organization-defined circumstances]; and
  3. When system components are installed or upgraded.

Need help?

Contact FireTail support

Previous (Findings - Cloud based findings)
API Gateway REST and WebSocket API execution logging should be enabled
Next (Findings - Cloud based findings)
AppSync field-level logging is not enabled