Connect Akto with AWS API Gateway with service account (Temporary Credentials)

AWS API Gateway is a fully managed service from AWS that helps developers create, publish, monitor, and secure APIs at scale. By integrating AWS API Gateway with Akto, you'll automatically discover and test the security of all your REST APIs, HTTP APIs, and WebSocket APIs deployed through API Gateway, ensuring comprehensive API security across your AWS infrastructure.

To connect Akto with AWS API Gateway using Service Accounts (IRSA), follow these steps:

Step 1: Set Up and Configure API Gateway

1.1 Set up Akto Traffic Processor

Follow the steps mentioned here to set up the Akto Traffic Processor.

1.2 Add AWS API Gateway Connector

Go to API Gateway in the AWS Console.
Navigate to your API and click on Stages from the left menu.
Scroll down to the Logs and tracing section and click on Edit.

Select Error and info logs and Data tracing and save these settings.

{ "requestId":"$context.requestId", "extendedRequestId":"$context.extendedRequestId","ip": "$context.identity.sourceIp", "caller":"$context.identity.caller", "user":"$context.identity.user", "requestTime":"$context.requestTime", "httpMethod":"$context.httpMethod", "resourcePath":"$context.resourcePath", "status":"$context.status", "protocol":"$context.protocol", "responseLength":"$context.responseLength" }

5. Find out the `CloudWatch log group` for your API Gateway for the stage which has the above logs enabled and save its ARN. You'll need it later.

Step 2: Set Up Cross-Account IAM Role for CloudWatch Logs

If your EKS cluster and CloudWatch log groups are in different AWS accounts, follow these steps to enable access using IAM roles with temporary credentials.

2.1 Create IAM Role in CloudWatch Account

Go to the IAM service in the AWS Console of the account where CloudWatch logs are stored.
Click Roles on the left panel, then click Create role.
Choose Another AWS account as the trusted entity.
Enter the AWS Account ID of the EKS cluster account.

Click Next, and in the permissions step, create a new policy or attach an existing one with the following permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:GetLogEvents",
        "logs:FilterLogEvents"
      ],
      "Resource": "arn:aws:logs:<region>:<cloudwatch-account-id>:log-group:*"
    }
  ]
}

Replace <region> and <cloudwatch-account-id> with actual values.
Click Next, name the role (e.g., CrossAccountCloudWatchRole), and create the role.

2.2 Update Trust Policy

After creating the role, modify the Trust relationships section to allow access from the EKS IRSA role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<eks-account-id>:role/<irsa-role-name>"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Replace <eks-account-id> with the AWS account ID where EKS is running.
Replace <irsa-role-name> with the IAM role attached to the EKS service account.

Step 3: Create an IAM Role for EKS Service Account

3.1 Create an IAM Policy in EKS Account

Go to IAM service in the AWS Console of the EKS cluster account.
Click Policies, then Create policy.

Use the following JSON policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<cloudwatch-account-id>:role/CrossAccountCloudWatchRole"
        }
    ]
}

Replace <cloudwatch-account-id> with the AWS account ID where CloudWatch logs are stored.
Click Next, give the policy a name (e.g., EKSCloudWatchAccess), and create it.

3.2 Create IAM Role for Service Account

In the EKS cluster account, go to IAM and click Roles > Create role.
Select Web Identity as the trusted entity.
Choose your EKS OIDC provider and enter sts.amazonaws.com as the audience.
Attach the policy created in Step 3.1.
Name the role (e.g., EKSCloudWatchRole) and create it.

3.3 Update Trust Policy for IRSA Role

Modify the trust policy for the role created in Step 3.2:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<eks-account-id>:oidc-provider/oidc.eks.<region>.amazonaws.com/id/<oidc-provider-id>"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.<region>.amazonaws.com/id/<oidc-provider-id>:sub": "system:serviceaccount:<namespace>:service-account-eks"
                }
            }
        }
    ]
}

Replace placeholders with actual values.

Step 4: Attach IAM Role to EKS Service Account

Create a service-account.yaml file:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: service-account-eks
  namespace: <namespace>
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<eks-account-id>:role/EKSCloudWatchRole

Apply the service account:
```
kubectl apply -f service-account.yaml
```

Now, the EKS pod using this service account can assume the cross-account IAM role to access CloudWatch logs securely.

Step 5: Update the Kubernetes Deployment YAML

apiVersion: apps/v1
kind: Deployment
metadata:
  name: api-gateway-logging
  namespace: <namespace>
spec:
  replicas: 1
  selector:
    matchLabels:
      app: api-gateway-logging 
  template:
    metadata:
      labels:
        app: api-gateway-logging 
    spec:
      serviceAccountName: service-account-eks
      containers:
      - image: aktosecurity/mirror-api-logging:api-gateway-logging-temp-cred
        name: api-gateway-logging 
        imagePullPolicy: Always
        resources: {}
        env:
          - name: AKTO_BYTES_IN_THRESHOLD
            value: "100"
          - name: AKTO_TRAFFIC_BATCH_TIME_SECS
            value: "10"
          - name: AKTO_TRAFFIC_BATCH_SIZE
            value: "100"
          - name: AKTO_KAFKA_BROKER_MAL
            value: ""
          - name: CLOUDWATCH_READ_BATCH_SIZE
            value: "5"
          - name: CROSS_ACCOUNT_ROLE_ARN
            value: ""
          - name: LOG_GROUP_PREFIX
            value: "API-Gateway-Execution-Logs"
          - name: SESSION_NAME
            value: ""
          - name: AWS_REGION
            value: ""
          - name: DATABASE_ABSTRACTOR_TOKEN
            value: ""

Replace <namespace> with the Kubernetes namespace used in Steps 3.3 and 4.
For AKTO_KAFKA_BROKER_MAL, use the value of the mini-runtime service deployed in Step 1.1.
For <LOG_GROUP_ARN>, enter the value obtained in Step 1.2.5. (This is optional if you want to use multiple CloudWatch log groups)
Replace <DATABASE_ABSTRACTOR_TOKEN>, with the database abstractor token from Akto dashboard.
For <SESSION_NAME>, use any name you want for the session.
Replace <AWS_REGION> with the AWS region where your EKS cluster is located.

Note:

If fetching logs from multiple accounts, make sure that the cross account role [ generally which belongs to the monitoring account ] attached to the module can read logs from all the aforementioned accounts.
If adding multiple role ARNs, in Akto, make sure that the eks pod created here, has the correct IAM policies to be able to assume these role ARNs.

With this setup, Akto can fetch CloudWatch logs from API Gateway across AWS accounts using temporary credentials.

Get Support for your Akto setup

In-app support: Message us in the Akto dashboard.
Join our Discord channel for community support.
Email: Contact [email protected].
Contact us here.

PreviousConnect Akto with AWS API Gateway with CloudWatch OAM NextConnect Akto with AWS Fargate

Last updated 4 months ago

hashtagStep 1: Set Up and Configure API Gateway

hashtag1.1 Set up Akto Traffic Processor

hashtag1.2 Add AWS API Gateway Connector

hashtagStep 2: Set Up Cross-Account IAM Role for CloudWatch Logs

hashtag2.1 Create IAM Role in CloudWatch Account

hashtag2.2 Update Trust Policy

hashtagStep 3: Create an IAM Role for EKS Service Account

hashtag3.1 Create an IAM Policy in EKS Account

hashtag3.2 Create IAM Role for Service Account

hashtag3.3 Update Trust Policy for IRSA Role

hashtagStep 4: Attach IAM Role to EKS Service Account

hashtagStep 5: Update the Kubernetes Deployment YAML

hashtagNote:

hashtagGet Support for your Akto setup