AWS WAF has no effect on apigateway behind cloudfront

Question

I have a CloudFront distribution that points to an API gateway endpoint. I plugged a WAF ACL on that distribution and it seems to work. When I access the API gateway endpoint using the CloudFront, I get blocked ( that's the desired behaviour that I configured on my ACL )

   https://<my-cloudfront-domain-name>/<my>/<api>/<endpoint> -> deny and I get a 403/blocked -> OK!

If I reach my endpoint "alone" ( not behind the cf distribution ) I can reach the endpoint normally. I wish to get blocked even if I reach the API in an isolated way

 https://<api-id>.execute-api.us-east-1.amazonaws.com/<my>/<api>/<endpoint> -> passed and I get a 200 -> NOT OK...

My stack was built using the serverless framework and my API gateway is from edge type

Answer 1

We had the exact same problem and contacted AWS support, and the support says Edge optimised APIs are fronted by a default CF distribution which the WAF is not able to recognise. To make WAF work for the default invoke URL you either need to change the endpoint type to Regional, or create a custom CF distribution.

Answer 2

API Gateway can restrict access by API key. CloudFront can send a custom, secret x-api-key header when it accesses the origin. The absence of that header in other requests to the API Gateway will cause API requests to be rejected with 403 Forbidden.

See Protecting your API using Amazon API Gateway and AWS WAF, parts one and two.