Securing Your AWS API Gateway with WAF: A Cost-Effective Approach

Amazon API Gateway is a powerful service for building and managing APIs, but securing them against web threats is critical, especially in common architectures where payloads are forwarded to Linux-based EC2 instances via an Application Load Balancer (ALB). AWS Web Application Firewall (WAF) provides a robust solution to protect your REST APIs from attacks like SQL injection, cross-site scripting (XSS), malicious bots, and Linux/Unix-specific exploits. For startups or small projects, balancing strong security with minimal costs is key. In this article, I’ll recommend a set of AWS-managed WAF rule groups that deliver high-value protection at a low cost, tailored for APIs forwarding to EC2 instances. We’ll also break down the pricing to help you plan your budget effectively.

Why Use AWS WAF with API Gateway?

AWS WAF allows you to create a Web Access Control List (web ACL) with rules to filter malicious traffic before it reaches your API Gateway. This is particularly important in setups where API Gateway forwards requests to an ALB and then to an EC2 target group running Linux/Unix-based instances, a common AWS architecture. WAF can protect against:

• Malicious IPs known for spamming or malware.
• Anonymized traffic from VPNs or Tor networks.
• Common exploits like SQL injection and XSS.
• Linux/Unix-specific attacks, such as command injection, which are relevant for EC2-based backends.

The goal is to select rules with high cost-value impact—maximum security for minimal cost. Below, I’ll outline the recommended rule sets, including those tailored for EC2-based setups, and their costs.

Recommended AWS-Managed Rule Sets for a High-Impact, Cost-Effective Setup

For a cost-effective setup with strong protection, especially for APIs forwarding to Linux-based EC2 instances via ALB, I recommend the following six AWS-managed rule groups. These provide comprehensive protection at a low cost.

Core Rule Sets (Minimal, High-Value)

These three rule groups provide essential protection for most API Gateway REST APIs.

1. Amazon IP Reputation List (Free)

   • What It Does: Blocks requests from IP addresses associated with malicious activities (e.g., spamming, malware, botnets) based on AWS’s threat intelligence.
   • Why It’s Valuable: Automatically filters known bad actors with zero configuration, offering a foundational layer of protection for any API.
   • Cost: $0/month (free managed rule group).
   • Cost-Value Impact: Extremely high—broad protection at no rule cost.

2. Anonymous IP List (Free)

   • What It Does: Blocks traffic from anonymized sources like VPNs, Tor networks, or proxies, often used by attackers to mask their identity.
   • Why It’s Valuable: Reduces risks from hidden sources, especially for public-facing APIs. It’s AWS-managed and requires no maintenance.
   • Cost: $0/month (free managed rule group).
   • Cost-Value Impact: Extremely high, targeting anonymized threats at no rule cost.

3. Core Rule Set (CRS) ($1/month)

   • What It Does: Protects against OWASP Top 10 vulnerabilities, including SQL injection, XSS, and other exploits targeting headers, query strings, or URIs.
   • Why It’s Valuable: Essential for any API, covering common web attacks for just $1/month. It’s a must-have for APIs handling user inputs or sensitive data.
   • Cost: $1/month (standard fee for a paid managed rule group).
   • Cost-Value Impact: Very high, delivering broad security for a low cost.

Additional High-Impact Rule Sets

These three low-cost rule groups enhance protection, particularly for APIs forwarding to Linux-based EC2 instances, without significantly increasing costs.

1. Known Bad Inputs ($1/month)

   • What It Does: Blocks requests containing known malicious payloads or patterns, such as specific attack signatures.
   • Why It’s Valuable: Complements the Core Rule Set by targeting a broader range of malicious patterns, including less common exploits, for minimal cost.
   • Cost: $1/month.
   • Cost-Value Impact: High, as it strengthens exploit protection.

2. SQL Database ($1/month)

   • What It Does: Specifically targets SQL injection attacks with focused rules, offering deeper inspection than the Core Rule Set’s SQL injection protection.
   • Why It’s Valuable: Adds specialized protection for database-driven APIs, especially if EC2 instances process database queries based on API inputs.
   • Cost: $1/month.
   • Cost-Value Impact: High, especially for database-driven APIs.

3. Linux/Unix Rule Set ($1/month)

   • What It Does: Protects against Linux/Unix-specific attacks, such as command injection or local file inclusion, targeting vulnerabilities in Linux-based systems.
   • Why It’s Valuable: Critical for APIs forwarding payloads to Linux-based EC2 instances via ALB, a common AWS setup. EC2 instances (e.g., running Amazon Linux or Ubuntu) may process user inputs in applications (e.g., Node.js, Python, PHP) that could be vulnerable to command injection if not properly sanitized. This rule set blocks malicious patterns like ; rm -rf / or curl commands, adding targeted protection for your backend.
   • Cost: $1/month.
   • Cost-Value Impact: High, especially for EC2-based APIs, as it addresses OS-specific attacks for minimal cost.

Why These Rules?

• Comprehensive Protection: These rules cover malicious IPs, anonymized traffic, common web exploits, and Linux/Unix-specific attacks, making them ideal for API Gateway → ALB → EC2 setups.
• Cost-Effective: Two free rules and four $1/month rules total $9.00/month in fixed costs, keeping expenses low.
• High Cost-Value Impact: Free rules provide broad protection at no cost; paid rules target critical vulnerabilities, including those relevant to Linux-based EC2 backends.
• Low Maintenance: All rules are AWS-managed, so AWS handles updates and tuning, reducing operational overhead.

Other AWS-Managed Rule Groups (Not Recommended for This Setup)

AWS offers additional managed rule groups, but I’ve excluded them because they have lower cost-value impact (higher cost for niche protection) or are less relevant for most API Gateway use cases, including EC2-based setups. Here’s why:

• AWS Managed Rules Bot Control ($10/month)

  • Purpose: Detects and mitigates bot traffic (e.g., scrapers, crawlers) with advanced detection.
  • Why Not: Costs $10/month, significantly higher than other rule groups. It’s overkill unless your API is heavily targeted by bots. The Anonymous IP List already blocks some bot-related traffic (e.g., from VPNs or Tor).
  • Cost-Value Impact: Low, due to high cost relative to added protection.

• AWS Managed Rules Account Takeover Prevention ($10/month)

  • Purpose: Prevents credential stuffing and account takeover attempts by analyzing login patterns.
  • Why Not: Expensive ($10/month) and only relevant if your API handles user authentication endpoints, which may not apply to all EC2-based APIs.
  • Cost-Value Impact: Low, as it’s niche and costly.

• WordPress Rule Set ($1/month)

  • Purpose: Protects WordPress-specific endpoints.
  • Why Not: Irrelevant unless your API Gateway serves a WordPress application running on EC2.
  • Cost-Value Impact: Very low for non-WordPress APIs.

AWS WAF Pricing Breakdown

AWS WAF pricing for regional resources (like API Gateway) includes three components:

1. Web ACL Cost: $5.00/month (prorated by the hour) for the web ACL.
2. Rule Costs: $1.00/month per paid rule group; free for Amazon IP Reputation List and Anonymous IP List.
3. Request Costs: $0.60 per million requests processed by the web ACL.

For the recommended setup (six rule groups):

• Fixed Costs:
  • Web ACL: $5.00/month
  • Rules: $4.00/month (Core Rule Set + Known Bad Inputs + SQL Database + Linux/Unix Rule Set)
  • Total Fixed: $9.00/month
• Variable Costs (depends on API traffic):
  • 1 million requests/month: $0.60
  • 5 million requests/month: $3.00
  • 10 million requests/month: $6.00

Total Cost Examples

• 1M requests/month: $9.00 (fixed) + $0.60 (requests) = $9.60/month
• 5M requests/month: $9.00 + $3.00 = $12.00/month
• 10M requests/month: $9.00 + $6.00 = $15.00/month

AWS Free Tier Note: If you’re in the first 12 months of an AWS account, the Free Tier covers up to 10 million requests/month, reducing request costs to $0. For example, with 5M requests, the total would be $9.00/month.

Optional Logging Costs

Enabling logging to Amazon S3 or CloudWatch adds minor costs (e.g., ~$0.023/GB for S3 in us-east-1). For a cost-effective setup, you can skip logging initially but consider enabling it later for monitoring or compliance.

Setting Up WAF for Your API Gateway

Here’s how to implement this setup:

1. Create a Web ACL:
   • In the AWS WAF console, create a regional web ACL and associate it with your API Gateway REST API and stage.
   • Set the default action to Allow.
2. Add the Rules:
   • Select Amazon IP Reputation List, Anonymous IP List, Core Rule Set, Known Bad Inputs, SQL Database, and Linux/Unix Rule Set from the AWS-managed rules.
   • Set rule priorities (e.g., IP Reputation List first, Anonymous IP List second, Core Rule Set third, Known Bad Inputs fourth, SQL Database fifth, Linux/Unix sixth).
3. Enable Metrics:
   • Turn on CloudWatch metrics to monitor blocked requests (no extra WAF cost; minor CloudWatch fees may apply, ~$0.30/metric/month).
4. Test and Deploy:
   • Test your API with sample requests (e.g., from a blocked IP, with SQL injection patterns, or command injection attempts like ; ls -la) to verify the rules.
   • Deploy the updated API stage.

Tips for Cost Optimization

• Leverage Free Rules: The Amazon IP Reputation List and Anonymous IP List provide strong baseline protection at no rule cost.
• Start Small: If $4/month for paid rules is too much, begin with the free rules and Core Rule Set ($6.60/month for 1M requests). Add Known Bad Inputs, SQL Database, and Linux/Unix Rule Set later.
• Use Free Tier: If eligible, the Free Tier saves up to $6/month (10M requests) in the first 12 months.
• Monitor Costs: Use the AWS Billing Dashboard or Pricing Calculator (https://calculator.aws/) to estimate costs based on your API’s traffic.
• Avoid High-Cost Rules: Skip Bot Control or Account Takeover Prevention unless you face specific bot or login-related threats.

Why Include the Linux/Unix Rule Set?

The Linux/Unix Rule Set is particularly valuable for APIs forwarding payloads to Linux-based EC2 instances via ALB, a common AWS architecture. EC2 instances (e.g., running Amazon Linux or Ubuntu) may process user inputs in applications (e.g., Node.js, Python, PHP) that could be vulnerable to command injection if not properly sanitized. For just $1/month, this rule set blocks Linux/Unix-specific attacks like command injection (e.g., ; rm -rf / or curl exploits), adding targeted protection for your EC2 backend without significant cost.

Conclusion

Securing your API Gateway with AWS WAF is affordable and effective, especially for setups forwarding to Linux-based EC2 instances via ALB. By using Amazon IP Reputation List, Anonymous IP List, Core Rule Set, Known Bad Inputs, SQL Database, and Linux/Unix Rule Set, you can protect your API from malicious IPs, anonymized traffic, common exploits, and Linux-specific attacks for as little as $9.60/month (or $9.00/month with the Free Tier) for 1 million requests. This setup delivers high-value security with minimal costs and no maintenance, making it ideal for startups, side projects, or any API Gateway deployment.

Check the AWS WAF pricing page (https://aws.amazon.com/waf/pricing/) for the latest details. Have a high-traffic API or specific security needs? Share your use case in the comments, and I’ll help tailor a WAF setup for you!