Connect Akto with AWS AppSync using Lambda Data Source
AWS AppSync is a fully managed GraphQL service from AWS. It allows you to build scalable applications by connecting to data sources like Lambda functions. By integrating AppSync with Akto using the Golang Runtime API Proxy Extension on AWS Lambda, you can automatically capture and monitor API traffic flowing through your GraphQL operations.
To connect Akto with AWS AppSync through Lambda functions, follow the steps below:
Step 1: Deploy the Akto Data-Ingestion Service
Before setting up the AppSync and Lambda integration, you need to deploy the Akto Data-Ingestion Service.
1.1 Download the Required Files
SSH into the instance where you want to deploy the data-ingestion service and run:
wget https://raw.githubusercontent.com/akto-api-security/infra/refs/heads/feature/quick-setup/docker-compose-data-ingestion-runtime.yml
wget https://raw.githubusercontent.com/akto-api-security/infra/refs/heads/feature/quick-setup/data-ingestion-docker.env
wget https://raw.githubusercontent.com/akto-api-security/infra/refs/heads/feature/quick-setup/docker-mini-runtime.env
wget https://raw.githubusercontent.com/akto-api-security/infra/refs/heads/feature/quick-setup/watchtower.env
1.2 Retrieve the DATABASE_ABSTRACTOR_SERVICE_TOKEN
DATABASE_ABSTRACTOR_SERVICE_TOKEN
Log in to the Akto Dashboard.
Navigate to the Quick Start tab from the left panel.
Select Hybrid SaaS Connector and copy the token from the Runtime Service Command section.
1.3 Update the docker-mini-runtime.env
File
docker-mini-runtime.env
FileEdit the file to include your token:
DATABASE_ABSTRACTOR_SERVICE_TOKEN=token
1.4 Deploy the Data-Ingestion Service
Start the service:
docker-compose -f docker-compose-data-ingestion-runtime.yml up -d
1.5 Note the IP Address of the Data-Ingestion Service
Ensure this instance is reachable from your Lambda environment. Note its public IP address or DNS name.
Step 2: Setup Lambda Extension for AppSync Resolver Integration
Now that the Akto Data-Ingestion Service is running, follow these steps to configure your AWS Lambda function and integrate it with AppSync.
2.1 Clone the Extension Repository
git clone https://github.com/akto-api-security/golang-lambda-runtime-api-proxy-extension.git
cd golang-lambda-runtime-api-proxy-extension
2.2 Modify the Makefile
Makefile
Update these values in the Makefile
:
BASENAME := $(shell basename $(CURDIR))
ARTIFACTS_DIR ?= out
targetArch := amd64
extensionName := golang-lambda-runtime-api-proxy-extension
FUNCTION_NAME := <your-lambda-function-name>
LAYER_NAME := $(extensionName)-layer
Replace
<your-lambda-function-name>
with your actual Lambda name.You'll update the ingestion URL during function configuration.
2.3 Build the Extension
make all
This packages the Lambda Runtime API Proxy Extension for deployment.
2.4 Publish as a Lambda Layer
make publishLayerVersion
Copy the output Layer ARN.
2.5 Attach Extension Layer and Configure the Lambda Function
Run:
make updateFunctionConfiguration FUNCTION_NAME=<your-lambda-name> AKTO_MIRRORING_URL=https://<your-ingestion-service-address>/api/ingestData
This will:
Attach the layer
Set required environment variables:
AWS_LAMBDA_EXEC_WRAPPER=/opt/wrapper-script.sh
AKTO_MIRRORING_URL=https://<your-ingestion-service-address>/api/ingestData
2.6 API Inventory with Source Location
Once your Lambda extension is connected, Akto automatically tags API Collection with the source, like service=lambda
. This helps you easily track and filter API Collection based on their origin. You can view this under API Discovery > API Collections.

Step 3: Add Lambda as a Data Source in AppSync
Now that your Lambda function is ready:
Go to the AWS AppSync console.
Open your GraphQL API.
Navigate to Data Sources.
Choose New and add your Lambda function as a data source.
Name it appropriately and attach the IAM role if required.
Step 4: Modify Your Resolver to Include Akto Payload
Whether you're using VTL or JavaScript, you must ensure your AppSync resolver sends an enriched payload to Lambda. This allows Akto to inspect incoming request context for observability.
VTL (Velocity Template Language) Example (Unit Resolver)
{
"version": "2018-05-29",
"operation": "Invoke",
"payload": {
...
<YOUR_DEFAULT_PAYLOAD>
...
"akto_data": {
"path": "/graphql",
"requestHeaders": $util.toJson($context.request.headers),
"method": "$util.defaultIfNull($context.request.headers['x-forwarded-method'], 'POST')",
"requestPayload": "$util.escapeJavaScript($util.toJson({
operationName: $context.info.fieldName,
query: "",
variables: $context.arguments
}))",
"ip": "$util.defaultIfNull($context.request.headers['x-forwarded-for'], '')",
"traffic_source": "AppSync"
}
}
}
JavaScript Resolver (Pipeline or Unit)
export function request(ctx) {
return {
operation: "Invoke",
payload: {
...
<YOUR_DEFAULT_PAYLOAD>
...
akto_data: {
path: '/graphql',
requestHeaders: (ctx.request?.headers || {}),
method: ctx.request?.headers?.['x-forwarded-method'] || 'POST',
requestPayload: JSON.stringify({
operationName: ctx.info.fieldName,
query: "",
variables: ctx.arguments || {}
}),
ip: ctx.request?.headers?.['x-forwarded-for'] || '',
traffic_source: 'AppSync',
}
}
};
}
📝 Note: Ensure
akto_data
includes the necessary context Akto requires.
Step 5: Verify the Setup
Trigger a GraphQL query or mutation in your AppSync API.
Observe your Lambda logs to ensure Akto extension starts correctly.
Log in to Akto Dashboard and check if API traffic is captured under the associated collection.
Need Help?
If you run into any issues or want help with customizing your integration:
Reach out via in-app
intercom
on the Akto Dashboard.Join our Discord community.
Email us at [email protected].
Visit akto.io/contact-us for further assistance.
Last updated
Was this helpful?