Skip to main content
MEDIUMCross-serviceSecurity

AppSync WAF Missing

appsync-waf-missing

What this rule checks

Detects AppSync APIs without an associated AWS WAF WebACL.

How to fix it

  1. 1Associate a WAFv2 WebACL with the AppSync API
  2. 2Define rules to protect against common web exploits
FlaggedThe AppSync GraphQL API has no associated WAFv2 WebACL, leaving it exposed to common web exploits and without request-level access control. This is a cross-resource check: it flags an AWS::AppSync::GraphQLApi with no AWS::WAFv2::WebACLAssociation pointing at its ARN.
import { CfnGraphQLApi } from 'aws-cdk-lib/aws-appsync';

new CfnGraphQLApi(this, 'PublicApi', {
  name: 'public-graphql-api',
  authenticationType: 'API_KEY',
});
FixedA CfnWebACL is created and a CfnWebACLAssociation binds it to the API's ARN (api.attrArn). Once a WebACLAssociation references the API the finding clears.
import { CfnGraphQLApi } from 'aws-cdk-lib/aws-appsync';
import { CfnWebACL, CfnWebACLAssociation } from 'aws-cdk-lib/aws-wafv2';

const api = new CfnGraphQLApi(this, 'PublicApi', {
  name: 'public-graphql-api',
  authenticationType: 'API_KEY',
});
const webAcl = new CfnWebACL(this, 'ApiWebAcl', {
  scope: 'REGIONAL',
  defaultAction: { allow: {} },
  visibilityConfig: {
    cloudWatchMetricsEnabled: true,
    metricName: 'apiWebAcl',
    sampledRequestsEnabled: true,
  },
});
new CfnWebACLAssociation(this, 'ApiWafAssociation', {
  resourceArn: api.attrArn,
  webAclArn: webAcl.attrArn,
});

CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.

Affected resource types

AWS::AppSync::GraphQLApiAWS::WAFv2::WebACLAssociation

Compliance frameworks

SOC2HIPAAPCI-DSSNIST

AWS documentation

Read the AWS guidance

Intentional? Suppress this finding

Sometimes a flag is deliberate โ€” a genuinely public endpoint, say. You can dismiss appsync-waf-missing and the reason is kept in the report, not silently hidden.

In .cdk-insights.json:

{
  "ignoreRules": [
    { "id": "appsync-waf-missing", "reason": "Why this is intentional" }
  ]
}

Or inline in your CDK code:

Validations.of(scope).acknowledge({
  id: 'cdk-insights::appsync-waf-missing',
  reason: 'Why this is intentional',
});

Use the rule ID appsync-waf-missing shown above โ€” not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs โ†’

Catch this in your stack

$ npx cdk-insights scan

CDK Insights runs this and 118+ other rules locally against your synthesised CDK app โ€” free, no account, your code never leaves your machine.

More Cross-service rules