APIs, as transformative as they are, require a unique approach to security. Industry leaders like AWS have been at the forefront of introducing robust solutions like the AWS API Gateway.
The adoption of microservices architecture has driven enterprises to invest in API Gateways. Solutions like AWS API Gateway streamline backend processes such as client request handling, routing, data transformation, caching, logging, and load balancing, thereby freeing up developer resources.
However, ensuring API security and compliance is a shared responsibility between AWS and its clients. AWS offers features like IAM roles and policies to control API access. Typically, WAFs are integrated with these gateways to block volume-based attacks such as XSS, DDOS, and enumeration.
Yet, these measures alone are insufficient to cover the broad attack surface. API endpoints often have unique AuthN and AuthZ mechanisms, as well as critical business and application logic. Attackers can exploit these vulnerabilities during the reconnaissance phase without triggering WAF alerts.
At Levo.ai, we have developed an integration with AWS API Gateway that goes beyond generating false alerts. Our solution allows detailed instrumentation of your external API endpoints. For detailed instructions, refer to our documentation.
Our instrumentation, powered by Log and CloudFront Lambda, can automatically discover and document all APIs (internal, external, third-party) passing through the gateway.
Unlike surface-level scanning, our solution analyzes real-time traffic to provide an accurate reflection of deployed API endpoints, capturing granular details such as:
Maintaining an API inventory is essential for compliance (e.g., PCI DSS 6.3), but it is also crucial for security. To help your DevSecOps team understand the business and application logic of each endpoint, we provide a documentation portal with OpenAPI/Swagger specifications for each API endpoint, including:
Postman collections are automatically generated for each endpoint to expedite your manual testing efforts.
Most API platforms integrating with AWS Gateway focus on attack detection, blocking, and incident response. This leads to the question: why do we offer an inventory portal?
Through customer interactions, we discovered a common issue: despite deploying multiple WAFs, load balancers, and rate limiters, many vulnerabilities remain unaddressed.
This stems from a flawed strategy of reacting to attacks instead of proactively preventing them through pre-production API testing. These shift-left initiatives have received massive support, with 78% of surveyed enterprises wanting to uncover vulnerabilities pre-production.
However, these initiatives often face obstacles. 55% of surveyed enterprises report difficulty with pre-production API testing due to a lack of bandwidth for manual testing and the inability of DAST tools to test APIs.
Even when API-specific testing tools are used, they quickly become unfeasible because of the lack of visibility into the API ecosystem. Many API-specific tools on the market require comprehensive and accurate documentation and inventory from the dev team, which is rarely maintained (something less than 30% of surveyed enterprises possess).
API visibility is so crucial it made it to the Top 10 OWASP API List.
OWASP API Security Guideline #9 - Improper Inventory Management warns enterprises about data/account theft and overexposure of sensitive data risks, often resulting from an incomplete or missing API inventory.
The guideline recommends maintaining an up-to-date and exhaustive API catalog, including API locations, functionalities, and associated security configurations.
A comprehensive API inventory not only aids robust testing but also discovers unknown, deprecated, and misconfigured endpoints before attackers do.
This is vital, particularly for endpoints handling sensitive data, as organizations lose $180 for each PII record stolen, with the average cost of a data breach being $4.35 million.
While we currently only integrate with AWS, integrations with many other Gateways are in the pipeline. Stay tuned!
Ready to maximize your investment in AWS API Gateway? Schedule a demo with us to learn how!