Connect Akto with AWS AppSync using Lambda Data Source

AWS AppSync is a fully managed GraphQL service from AWS. It allows you to build scalable applications by connecting to data sources like Lambda functions. By integrating AppSync with Akto using the Golang Runtime API Proxy Extension on AWS Lambda, you can automatically capture and monitor API traffic flowing through your GraphQL operations.

To connect Akto with AWS AppSync through Lambda functions, follow the steps below:


Step 1: Deploy the Akto Data-Ingestion Service

Before setting up the AppSync and Lambda integration, you need to deploy the Akto Data-Ingestion Service.

1.1 Download the Required Files

SSH into the instance where you want to deploy the data-ingestion service and run:

wget https://raw.githubusercontent.com/akto-api-security/infra/refs/heads/feature/quick-setup/docker-compose-data-ingestion-runtime.yml
wget https://raw.githubusercontent.com/akto-api-security/infra/refs/heads/feature/quick-setup/data-ingestion-docker.env
wget https://raw.githubusercontent.com/akto-api-security/infra/refs/heads/feature/quick-setup/docker-mini-runtime.env
wget https://raw.githubusercontent.com/akto-api-security/infra/refs/heads/feature/quick-setup/watchtower.env

1.2 Retrieve the DATABASE_ABSTRACTOR_SERVICE_TOKEN

  • Log in to the Akto Dashboard.

  • Navigate to the Quick Start tab from the left panel.

  • Select Hybrid SaaS Connector and copy the token from the Runtime Service Command section.

1.3 Update the docker-mini-runtime.env File

Edit the file to include your token:

DATABASE_ABSTRACTOR_SERVICE_TOKEN=token

1.4 Deploy the Data-Ingestion Service

Start the service:

docker-compose -f docker-compose-data-ingestion-runtime.yml up -d

1.5 Note the IP Address of the Data-Ingestion Service

Ensure this instance is reachable from your Lambda environment. Note its public IP address or DNS name.


Step 2: Setup Lambda Extension for AppSync Resolver Integration

Now that the Akto Data-Ingestion Service is running, follow these steps to configure your AWS Lambda function and integrate it with AppSync.

2.1 Clone the Extension Repository

git clone https://github.com/akto-api-security/golang-lambda-runtime-api-proxy-extension.git
cd golang-lambda-runtime-api-proxy-extension

2.2 Modify the Makefile

Update these values in the Makefile:

BASENAME := $(shell basename $(CURDIR))
ARTIFACTS_DIR ?= out
targetArch := amd64
extensionName := golang-lambda-runtime-api-proxy-extension
FUNCTION_NAME := <your-lambda-function-name>
LAYER_NAME := $(extensionName)-layer
  • Replace <your-lambda-function-name> with your actual Lambda name.

  • You'll update the ingestion URL during function configuration.


2.3 Build the Extension

make all

This packages the Lambda Runtime API Proxy Extension for deployment.


2.4 Publish as a Lambda Layer

make publishLayerVersion

Copy the output Layer ARN.


2.5 Attach Extension Layer and Configure the Lambda Function

Run:

make updateFunctionConfiguration FUNCTION_NAME=<your-lambda-name> AKTO_MIRRORING_URL=https://<your-ingestion-service-address>/api/ingestData

This will:

  • Attach the layer

  • Set required environment variables:

    • AWS_LAMBDA_EXEC_WRAPPER=/opt/wrapper-script.sh

    • AKTO_MIRRORING_URL=https://<your-ingestion-service-address>/api/ingestData

2.6 API Inventory with Source Location

Once your Lambda extension is connected, Akto automatically tags API Collection with the source, like service=lambda. This helps you easily track and filter API Collection based on their origin. You can view this under API Discovery > API Collections.


Step 3: Add Lambda as a Data Source in AppSync

Now that your Lambda function is ready:

  1. Open your GraphQL API.

  2. Navigate to Data Sources.

  3. Choose New and add your Lambda function as a data source.

  4. Name it appropriately and attach the IAM role if required.


Step 4: Modify Your Resolver to Include Akto Payload

Whether you're using VTL or JavaScript, you must ensure your AppSync resolver sends an enriched payload to Lambda. This allows Akto to inspect incoming request context for observability.

VTL (Velocity Template Language) Example (Unit Resolver)

{
  "version": "2018-05-29",
  "operation": "Invoke",
  "payload": {
	...
	<YOUR_DEFAULT_PAYLOAD>
 	...
    "akto_data": {
		"path": "/graphql",
		"requestHeaders": $util.toJson($context.request.headers),
		"method": "$util.defaultIfNull($context.request.headers['x-forwarded-method'], 'POST')",
		"requestPayload": "$util.escapeJavaScript($util.toJson({
			operationName: $context.info.fieldName,
			query: "",
			variables: $context.arguments
		}))",
		"ip": "$util.defaultIfNull($context.request.headers['x-forwarded-for'], '')",
		"traffic_source": "AppSync"
	}
  }
}

JavaScript Resolver (Pipeline or Unit)

export function request(ctx) {
  return {
    operation: "Invoke",
    payload: {
	  ...
	  <YOUR_DEFAULT_PAYLOAD>
  	  ...
      akto_data: {
		  path: '/graphql',
		  requestHeaders: (ctx.request?.headers || {}),
		  method: ctx.request?.headers?.['x-forwarded-method'] ||  'POST',
		  requestPayload: JSON.stringify({
			  operationName: ctx.info.fieldName,
			  query: "",
			  variables: ctx.arguments || {}
		  }),
		  ip: ctx.request?.headers?.['x-forwarded-for'] ||  '',
		  traffic_source: 'AppSync',
	  }
    }
  };
}

📝 Note: Ensure akto_data includes the necessary context Akto requires.


Step 5: Verify the Setup

  1. Trigger a GraphQL query or mutation in your AppSync API.

  2. Observe your Lambda logs to ensure Akto extension starts correctly.

  3. Log in to Akto Dashboard and check if API traffic is captured under the associated collection.


Need Help?

If you run into any issues or want help with customizing your integration:

  1. Reach out via in-app intercom on the Akto Dashboard.

  2. Email us at [email protected].

  3. Visit akto.io/contact-us for further assistance.

Last updated

Was this helpful?