APIGateway.4: API Gateway should be associated with a WAF web ACL

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub APIGateway.4 check?

APIGateway.4 fails when a REST API stage is not associated with an AWS WAF web ACL. The control checks each deployed stage for an attached regional web ACL.

Why does APIGateway.4 matter?

Authentication rejects bad credentials but still runs the gateway and backend for every request, so an unprotected public endpoint can be scraped or brute-forced into a five-figure overnight bill even when every request is denied. A WAF stops malicious and abusive traffic at the edge — SQLi, bad bots, and request floods — before it costs you compute or exposes a flaw.

How do I fix APIGateway.4?

Create or reuse a regional web ACL starting from AWS-managed rule groups (common rule set, known-bad-inputs).
Add a rate-based rule to blunt floods and brute-force attempts.
Associate the web ACL with the stage using the stage ARN via associate-web-acl.

Remediation script · bash

# Attach the AWS Managed Rules common baseline to an empty web ACL, in Count mode.
# update-web-acl REPLACES the entire Rules array, so supply the full desired set and the current LockToken.
aws wafv2 update-web-acl \
  --scope REGIONAL --name public-alb-waf --id a1b2c3d4-0000-1111-2222-3333 \
  --lock-token e4f5g6h7 --default-action Allow={} \
  --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=public-alb-waf \
  --rules '[{"Name":"AWS-CommonRuleSet","Priority":0,"Statement":{"ManagedRuleGroupStatement":{"VendorName":"AWS","Name":"AWSManagedRulesCommonRuleSet"}},"OverrideAction":{"Count":{}},"VisibilityConfig":{"SampledRequestsEnabled":true,"CloudWatchMetricsEnabled":true,"MetricName":"AWS-CommonRuleSet"}}]'

# Associate a baseline web ACL with an unprotected API Gateway stage (the resource ARN is the stage, not the API).
aws wafv2 associate-web-acl \
  --web-acl-arn arn:aws:wafv2:us-east-1:111122223333:regional/webacl/prod-api-baseline/1a2b3c4d \
  --resource-arn arn:aws:apigateway:us-east-1::/restapis/a1b2c3d4e5/stages/prod

# Protect a Network Firewall from accidental deletion.
aws network-firewall update-firewall-delete-protection \
  --firewall-name prod-egress-inspection --delete-protection

Full walkthrough (console steps, edge cases and verification) in the lesson Protect APIs and edge with WAF.

Is APIGateway.4 a false positive?

The web ACL must be regional, not CloudFront-scoped, and associated to the exact stage ARN — a CloudFront-scope ACL or a mismatched ARN leaves the control FAILED.

Full lesson Protect APIs and edge with WAF Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for APIGateway controls ↗ Check your own account for APIGateway.4 →

Part of the learning path Lock down access

APIGateway.1 REST/WebSocket API execution logging
APIGateway.2 REST stages should use SSL certs for backend auth
APIGateway.5 REST API cache data should be encrypted at rest
APIGateway.8 Routes should specify an authorization type
APIGateway.9 V2 stages should have access logging
APIGateway.10 V2 integrations should use HTTPS for private connections
APIGateway.11 Domain names should use recommended security policies