Akto - API Security platform
Akto WebsiteStart freeBook a demoDiscordGitHub
  • Github Open Source Repo
  • What is Akto?
  • AktoGPT
  • AGENTIC AI
    • Akto MCP Server
  • Getting Started
    • Deployment Types
    • Akto Cloud
      • Connect Akto with Hybrid SaaS
      • Migrate From Self Hosted Setup To SaaS
      • Setting up proxy
    • Akto Self Hosted
      • AWS deploy
        • AWS multi-VPC deploy
        • AWS Cross-Region Cross-VPC deploy
        • Custom subdomain on Akto on AWS
      • Helm Deploy
      • Azure Deploy
      • Openshift Deploy
      • Heroku
      • GCP Deploy
    • Local Deploy
    • FAQs on data concerns
  • Traffic Connector
    • Traffic Data Sources
    • eBPF
      • Connect Akto with eBPF
      • Connect Akto with eBPF on mTLS
    • Kubernetes
      • Connect Akto with Kubernetes in AWS
      • Connect Akto eBPF with Kubernetes
    • API Gateways
      • Connect Akto with Envoy
      • Connect Akto with NGINX
      • Connect Akto with Istio
      • Connect Akto with HAProxy
      • Connect Akto with Azure API Management
      • Connect Akto with F5
      • Connect Akto with 3Scale
      • Connect Akto with Layer7 API Gateway
      • Connect Akto with Citrix
      • Connect Akto with Kong
      • Connect Akto with Kong Mesh
      • Connect Akto with Cloudflare
      • Connect Akto with IBM Connect
      • Connect Akto with Mulesoft Flex Gateway
      • Connect Akto with Apigee
    • Mirroring
      • Connect Akto with AWS Traffic Mirroring
      • Connect Akto with GCP Packet Mirroring
    • AWS Services
      • Connect Akto with AWS Beanstalk
      • Connect Akto with AWS API Gateway
      • Connect Akto with AWS Lambda
      • Connect Akto with AWS API Gateway with CloudWatch OAM
      • Connect Akto with AWS API Gateway with service account (Temporary Credentials)
      • Connect Akto with AWS Fargate
      • Connect Akto with AWS EKS
      • Connect Akto with AWS ECS
    • GCP Services
      • Connect Akto with GCP Packet Mirroring
      • Connect Akto with Apigee
      • Connect Akto with Google Cloud Run Functions
      • Connect Akto with Google Cloud Run
      • Connect Akto with GKE
    • Azure Services
      • Connect Akto with Azure App Services
      • Connect Akto with Azure API Management
      • Connect Akto with AKS
      • Connect Akto with Azure OpenShift
      • Connect Akto with Azure Container App
      • Connect Akto with Azure Functions
    • Akto SDK
    • Source Code
      • GitHub
      • Bitbucket
      • GitLab
      • API inventory from source code
      • Source code installation
    • Virtual Machines
      • Connect Akto with Docker
      • Connect Akto on TLS service
      • Connect Akto with TCP Agent
    • Manual
      • Connect Akto with Burp suite
      • Connect Akto with Postman
      • Connect Akto with OpenAPI
      • Add API traffic to Akto using HAR file upload
      • API Import: WSDL in Akto
    • Configure TLS on kafka
  • API Inventory
    • Concepts
      • API Endpoints
      • Meta Properties of API Endpoint
      • API Collection
      • API Call Stats
      • Explore mode
      • gRPC API Coverage with Akto
      • Data Types
      • API Groups
      • Environment Type
      • Protocol Support in Akto
      • API Changes
      • Third Party APIs
      • Tags
      • API Dependency Graph
      • Sensitive Data
      • Alerts
      • Shadow APIs
      • Zombie APIs
      • Risk Score
      • Auth types
      • Access Type
      • API discovery from source code
      • Advanced Filter Option
    • How-To
      • Enable Tree view for API collections
      • Export an API Collection to Postman
      • Export an API Collection to Burp
      • Create API group
      • Collection-Based RBAC
      • Descriptions for API Collections & Endpoints
      • Remove API(s) from API group
      • Deactivating and Reactivating API Collections in Akto
      • Add collection using Explore Mode
      • De-merge API
      • Create Swagger File Using Akto
      • Copy API Endpoints Data
      • Add an API Collection
      • Set environment type
      • Delete an API Collection
      • Create a Custom Data Type
      • Reset Data Types in Akto
      • Set Sensitivity of a Data Type
      • De-activate a data type
      • Add a Custom Auth Type
      • Reset an Auth Type
      • Configure Access Types
      • View New API Endpoint
      • Add Private CIDRs list
      • View New Parameters
      • Configure alerts on API changes
      • Create a custom collection
      • Redact sensitive data
      • Extract APIs from github hosted source code using our Github Action
      • Extract APIs from source code using our Docker based CLI
      • Remove Bad Endpoints
      • Create New Tags
      • Edit Tags
  • API Protection
    • Overview
    • External API Runtime Threat Notifications
    • Concepts
      • Threat Actors
      • Threat Policy
  • WAF
    • AWS WAF
    • Cloudflare WAF
  • Test Editor
    • Concepts
      • Overview
      • Test YAML
      • Test Library
      • Custom Test
      • Test YAML Syntax (Detailed)
        • ID
        • Info
        • Wordlists
        • Auth
        • API Selection Filters
        • Execute
        • Validation
        • Contexts
        • Strategy
        • Conditional flows
      • Template YAMLs
        • Local File Inclusion with Akto
      • Dynamic severity
    • How To
      • Edit Test
      • Create a Custom Test
      • Deactivate Test
      • Play in Test Editor Background
      • Copy Test Content
      • Opening Endpoint in Test Editor
      • Add a New Test Library
      • Contribute to Test Library
  • API Security Testing
    • Concepts
      • Severity Levels
      • Test
      • Result types
      • Test Role
      • User Config
      • Test Result
      • JSON Recording for Automated Auth Tokens
    • How To
      • Run Test
      • Auto-Create Jira Tickets
      • Edit Test Settings
      • Install testing module in your Cloud
        • Ephemeral Storage for Hybrid Runtime
        • gRPC Testing in Hybrid Testing Module
      • Create Custom Test Suites
      • Recalculate Issue Counts
      • Testing Module Selector in Akto
      • Run Tests by Category
      • Export Vulnerability Report from Test Results
      • Test Multiple APIs
      • Schedule Tests
      • Stop Tests
      • Run Test on Any One Endpoint
      • Configure global rate limit
      • Rescan Specific Issues Resolved
      • Configure Pre-request Script
      • Set Up JSON Recording for Auth Tokens
      • Create a Test Role
      • Edit Auth Flow in Test Roles
      • Restrict Access to a Test Role Using RBAC
      • Play in Test Editor Playground
      • Conduct Role-Based Testing
      • Run tests in CLI using Akto
      • Secure GraphQL APIs using Akto
      • Secure REST APIs using Akto
      • Secure SOAP APIs using Akto
      • Create and Edit Auth Types
  • Issues
    • Concepts
      • Overview
      • Values
      • Vulnerability Report
      • Remediation
    • How To
      • Jira Integration
      • Azure DevOps Boards Integration
      • Triage Issues
        • Review Issues Marked as False Positives
      • Export Selected Issues to Reports
      • Export Vulnerability Report
  • CI/CD
    • GitHub Actions
      • Create GitHub App
    • Jenkins
    • Azure DevOps
    • GitLab
    • Generic CI/CD
    • How To
      • Run tests in CI/CD
      • Add test to CI/CD Pipeline
      • Get API Credentials
      • Test ID from Akto test
  • Account
    • Invite User
      • Change role of a User
    • Create a New Account
    • How to Switch Between Accounts in Akto
    • Understanding Role Permissions
    • Custom roles
    • Audit Logs
    • SSO
      • Azure AD SAML
      • Okta OIDC
      • Github OIDC
      • Google Workspace SSO
      • Add Members From SSO
  • Compliance
    • Concepts
      • Overview
  • API security posture
    • Concepts
      • Overview
  • SIEM Integration
    • Splunk
  • Alerts
    • Slack Webhook
    • Microsoft Teams Webhook
    • Setup alerts for Akto test run results
  • Pricing
    • Pricing Plans
    • How To
      • Upgrade Your Plan
      • Downgrade Your Plan
      • Sync Usage Data
  • API reference
    • API reference
  • Components
    • Dashboard
    • Testing module
    • Traffic mirroring module
    • Runtime analyzer
    • Context analyzer
    • Puppeteer server
    • Other OSS
    • robots.txt
  • Troubleshooting
    • How to get logs
    • How to disable logging
    • How to update helm deployments
  • Stay Updated on New Releases
  • Support
Powered by GitBook
On this page
  • Step 1: Set Up and Configure API Gateway
  • 1.1 Set up Akto Traffic Processor
  • 1.2 Add AWS API Gateway Connector
  • Step 2: Linking CloudWatch OAM Accounts
  • Why Use CloudWatch OAM?
  • 2.1: Configure the Monitoring Account
  • 2.2: Configure the Source Account
  • Step 3: Set Up an EKS Cluster
  • Step 4: Create an IAM Role for Service Account
  • 4.1 Create an IAM Policy
  • 4.2 Create an IAM Role
  • 4.3 Update Trust Policy
  • Step 5: Attach IAM Role to EKS Service Account
  • Step 6: Update the Kubernetes Deployment YAML
  • Get Support for your Akto setup

Was this helpful?

  1. Traffic Connector
  2. AWS Services

Connect Akto with AWS API Gateway with CloudWatch OAM

PreviousConnect Akto with AWS LambdaNextConnect Akto with AWS API Gateway with service account (Temporary Credentials)

Last updated 3 months ago

Was this helpful?

AWS API Gateway is a fully managed service from AWS that helps developers create, publish, monitor, and secure APIs at scale. By integrating AWS API Gateway with Akto, you'll automatically discover and test the security of all your REST APIs, HTTP APIs, and WebSocket APIs deployed through API Gateway, ensuring comprehensive API security across your AWS infrastructure.

To connect Akto with AWS API Gateway using CloudWatch OAM, follow these steps:


Step 1: Set Up and Configure API Gateway

1.1 Set up Akto Traffic Processor

1.2 Add AWS API Gateway Connector

  1. Go to API Gateway in the AWS Console.

  2. Navigate to your API and click on Stages from the left menu.

  3. Scroll down to the Logs and tracing section and click on Edit.

  4. Select Error and info logs and Data tracing and save these settings.

  5. Find out the CloudWatch log group for your API Gateway for the stage which has the above logs enabled and save it's arn. You'll need it later.


Step 2: Linking CloudWatch OAM Accounts

Note: Follow the OAM step only if you have an EKS cluster in one account and a CloudWatch log group in another account. Otherwise, you can skip this step.

Why Use CloudWatch OAM?

CloudWatch OAM allows you to monitor and manage metrics and logs across multiple AWS accounts and regions, providing centralized visibility and simplified access management.

2.1: Configure the Monitoring Account

  1. Open the CloudWatch console in the monitoring account (where your EKS cluster is located).

  2. In the left navigation bar, go to Settings.

  3. Under Monitoring account configuration, choose Configure.

  4. For Select data, choose the types of data this monitoring account will be able to view from the source accounts:

    • Logs

    • Metrics

    • (Generally, we only need logs.)

  5. Under List source accounts, enter the account IDs of the source accounts (where your CloudWatch log groups are located) that this monitoring account will view.

  6. Under Define a label to identify your source account, choose whether to use account names or email addresses.

  7. Click Configure.

2.2: Configure the Source Account

  1. In Settings, under Monitoring account configuration, go to Resources to link accounts.

  2. Choose Any account to generate a URL for linking source accounts.

  3. Copy the generated URL.

  4. Sign in to the account you want to set as a source account.

  5. Enter the copied URL in your browser to open the CloudWatch settings page.

  6. Under Select data, choose the data types that will be shared with the monitoring account:

    • Logs

    • Metrics

    • (Generally, only logs are needed, and specific logs can be filtered.)

  7. Ensure Enter monitoring account configuration ARN is not changed.

  8. Under Define a label to identify your source account, the label choice from the monitoring account is pre-filled. Optionally, choose Edit to modify it.

  9. Click Link.

  10. Enter Confirm in the box and click Confirm.

The linking process might take a few minutes to complete.

Step 3: Set Up an EKS Cluster

If you don’t have an existing EKS cluster, you can create one using the AWS Console:

  1. Go to the Amazon EKS service in the AWS Management Console.

  2. Click on Create Cluster.

  3. Provide a name for your cluster and select the Kubernetes version.

  4. Choose the networking settings (VPC, subnets, security groups).

  5. Select an IAM role for the cluster.

  6. Select an IAM role for the node.

  7. Configure other optional settings and click Create.

  8. Copy the OpenID Connect (OIDC) provider URL from the Overview section of your EKS cluster. (You can find this under EKS > Your Cluster > Overview > Details.)


Step 4: Create an IAM Role for Service Account

4.1 Create an IAM Policy

  1. Go to the IAM service in the AWS Console.

  2. Click Policies on the left panel, then click Create policy.

  3. Select JSON as Policy editor.

  4. Paste the following JSON schema in the policy editor.

    {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Effect": "Allow",
    			"Action": [
    				"logs:DescribeLogGroups",
    				"logs:DescribeLogStreams",
    				"logs:GetLogEvents",
    				"logs:FilterLogEvents"
    			],
    			"Resource": [
    				"<YOUR_LOG_GROUP_ARN>"
    			]
    		}
    	]
    }
    
    • Replace <YOUR_LOG_GROUP_ARN> with the CloudWatch log group arn saved in Step 1.2.

  5. Click Next and review the permissions.

  6. After reviewing the permissions, click the Save Changes button.

4.2 Create an IAM Role

  1. Go to the IAM service in the AWS Console.

  2. Click Roles on the left panel, then click Create role.

  3. Select Web Identity as the trusted entity.

  4. Choose your EKS OIDC provider and enter the audience as sts.amazonaws.com.

  5. Click Next and move to the permissions step.

  6. Choose the policy we created in the previous step (4.1).

  7. Click Next, give the role a name, and create the role. (Save the role name as it will be needed later.)

4.3 Update Trust Policy

After creating the role, modify the trust policy in the Trust relationships section of the role created in the previous step.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<your-account-id>:oidc-provider/oidc.eks.<your-region>.amazonaws.com/id/<your-oidc-provider-id>"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.<your-region>.amazonaws.com/id/<your-oidc-provider-id>:aud": "sts.amazonaws.com",
                    "oidc.eks.<your-region>.amazonaws.com/id/<your-oidc-provider-id>:sub": "system:serviceaccount:<your-namespace>:service-account-eks"
                }
            }
        }
    ]
}
  • Replace <your-region> with your AWS region. (Find it in the top-right corner of the AWS Console.)

  • Replace <your-account-id> with your AWS account ID. (You can find this under IAM > Account Settings.)

  • Replace <your-oidc-provider-id> with the OIDC provider ID from Step 2.

  • Replace <your-namespace> with the Kubernetes namespace where the service account will be deployed. (Use kubectl get namespaces to check existing namespaces.)

Save the trust policy.


Step 5: Attach IAM Role to EKS Service Account

  1. Create a service-account.yaml file with the following content:

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: service-account-eks
      namespace: <your-namespace>
      annotations:
        eks.amazonaws.com/role-arn: arn:aws:iam::<aws-account-id>:role/<role-name>
    
    • Replace <aws-account-id> with your AWS account ID.

    • Replace <role-name> with the IAM role name created in Step 4.2.

    • Replace <your-namespace> with the Kubernetes namespace where the service account will be deployed (use kubectl get namespaces to check existing namespaces). This should be the same as the one used in step 4.3.

  2. Apply the service-account.yaml file to your EKS cluster using the following kubectl command: kubectl apply -f service-account.yaml


Step 6: Update the Kubernetes Deployment YAML

  1. For LOG_GROUP_NAME and AWS_REGION, use the log group arn we saved earlier and the aws region it is deployed in.

  2. For AKTO_KAFKA_BROKER_MAL, use the value of the mini-runtime service we deployed in step 1.1.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: api-gateway-logging
  namespace: <your-namespace>
spec:
  replicas: 1
  selector:
    matchLabels:
        app: api-gateway-logging 
  template:
    metadata:
        labels:
          app: api-gateway-logging 
    spec:
      serviceAccountName: service-account-eks
      containers:
      - image: aktosecurity/mirror-api-logging:api-gateway-logging
        name: api-gateway-logging 
        imagePullPolicy: Always
        resources: {}
        env:
          - name: AKTO_BYTES_IN_THRESHOLD
            value: "100"
          - name: AKTO_TRAFFIC_BATCH_TIME_SECS
            value: "10"
          - name: AKTO_TRAFFIC_BATCH_SIZE
            value: "100"
          - name: AKTO_KAFKA_BROKER_MAL
            value: ""
          - name: CLOUDWATCH_READ_BATCH_SIZE
            value: "5"
          - name: LOG_GROUP_NAME
            value: ""
          - name: AWS_REGION
            value: ""
  • Replace <your-namespace> with the Kubernetes namespace used in Step 5.

Notes:


Get Support for your Akto setup

  • In-app support: Message us in the Akto dashboard.

  • Email: Contact help@akto.io.

Follow the steps mentioned to set up the Akto Traffic Processor.

For more details, refer to the official AWS documentation:

For more information on filtering logs, refer to: .

For assigning an IAM role to a Kubernetes service account, you can refer .

Join our for community support.

Contact us .

here
AWS OAM API Reference
AWS Log Group Configuration
here
Discord channel
here