AppSync WAF Missing
appsync-waf-missing
What this rule checks
Detects AppSync APIs without an associated AWS WAF WebACL.
How to fix it
- 1Associate a WAFv2 WebACL with the AppSync API
- 2Define rules to protect against common web exploits
import { CfnGraphQLApi } from 'aws-cdk-lib/aws-appsync';
new CfnGraphQLApi(this, 'PublicApi', {
name: 'public-graphql-api',
authenticationType: 'API_KEY',
});import { CfnGraphQLApi } from 'aws-cdk-lib/aws-appsync';
import { CfnWebACL, CfnWebACLAssociation } from 'aws-cdk-lib/aws-wafv2';
const api = new CfnGraphQLApi(this, 'PublicApi', {
name: 'public-graphql-api',
authenticationType: 'API_KEY',
});
const webAcl = new CfnWebACL(this, 'ApiWebAcl', {
scope: 'REGIONAL',
defaultAction: { allow: {} },
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: 'apiWebAcl',
sampledRequestsEnabled: true,
},
});
new CfnWebACLAssociation(this, 'ApiWafAssociation', {
resourceArn: api.attrArn,
webAclArn: webAcl.attrArn,
});CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.
Affected resource types
AWS::AppSync::GraphQLApiAWS::WAFv2::WebACLAssociationIntentional? Suppress this finding
Sometimes a flag is deliberate โ a genuinely public endpoint, say. You can dismiss appsync-waf-missing and the reason is kept in the report, not silently hidden.
In .cdk-insights.json:
{
"ignoreRules": [
{ "id": "appsync-waf-missing", "reason": "Why this is intentional" }
]
}Or inline in your CDK code:
Validations.of(scope).acknowledge({
id: 'cdk-insights::appsync-waf-missing',
reason: 'Why this is intentional',
});Use the rule ID appsync-waf-missing shown above โ not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs โ
Catch this in your stack
$ npx cdk-insights scanCDK Insights runs this and 118+ other rules locally against your synthesised CDK app โ free, no account, your code never leaves your machine.