The procedure in this article can be used to integrate Amazon API gateway with Cequence UAP.
Integration architecture
The Amazon API gateway integration for the Cequence Unified API Protection (UAP) platform is made of the following components.
Amazon API Gateway
Receives incoming requests from clients and routes them to the appropriate API backend services or applications.
Generates detailed log entries for each request and response, including headers, body, query parameters, and other metadata relevant to Cequence UAP platform analysis.
Amazon CloudWatch
Receives log events from API Gateway and stores them in log groups.
Note: Amazon CloudWatch limitations limit batch sizes to 1MB and 5000 transactions per second, per region. Use the Service Quotas service to change the transaction-per-second limit. The batch size limit cannot be increased.
Amazon CloudWatch Events
A serverless event management service that enables the triggering of an AWS service at a scheduled interval. Amazon CloudWatch Events triggers an AWS Lambda function that captures API Gateway log events every minute.
Parameter Store
Stores an authentication token acquired from the Cequence UAP platform. The token is valid for the interval configured for TTL (time-to-live). Refresh the token when TTL expires.
AWS Lambda function
Triggered every minute by AWS CloudWatch Events. Pulls the API Gateway log entries from AWS CloudWatch Events, transforms the entries into the payload format used by the Cequence UAP platform, aggregates the entries over the last minute of activity, and posts the batch to the Cequence UAP platform for analysis.
Implementation Steps
Prerequisites
- AWS CLI installed and configured with appropriate credentials
- Terraform CLI installed (version 0.12+)
- Python 3.9 installed (for the Lambda function)
Required Permissions
Ensure your AWS IAM user or role has the following permissions:
- IAM:
- CreateRole
- AttachRolePolicy
- PutRolePolicy
- Lambda:
- CreateFunction
- UpdateFunctionConfiguration
- CloudWatch:
- CreateLogGroup
- PutRetentionPolicy
- CloudWatch Events:
- PutRule
- PutTargets
- API Gateway:
- GetStage (for existing API Gateway)
Installation Steps
1. Download the tarball to your working directly from here
2. Untar the downloaded file and change the directory to cq-aws-api-gateway-tf
tar -xvf cq-aws-api-gateway-tf.tar.gz
cd cq-aws-api-gateway-tf/
3. Modify the terraform variables files to match your environment. A sample is provided with the bundle
# AWS Region for resource deployment
region = "us-west-2"
# API Gateway configuration
api_gateway_id = "your_api_id"
stage = "stage"
# Lambda function configuration
lambda_function_name = "cequence_log_aggregator"
lambda_role_name = "cequence_lambda_execution_role"
lambda_log_group_name = "/aws/lambda/cequence_log_aggregator"
lambda_timeout = 300 # Timeout in seconds
# Cequence API configuration
api_url = "https://bridge.yourdomain.com/api-transactions"
# This is the URL of your Cequence Bridge deployment, followed by /api-transactions as the path.
auth_api_url = "https://auth.yourdomain.com/auth/realms/cequence/protocol/openid-connect/token"
# This is the URL of the auth component in your Cequence UAP deployment. For example,
# if your Cequence portal URL is https://ui.<company_name>.1.cequence.cloud,
# then enter https://auth.<company_name>.1.cequence.cloud/auth/realms/cequence/protocol/openid-connect/token.
# Authentication details
client_id = "xxx"
client_secret = "xxx"
grant_type = "client_credentials"
# Token cache configuration
token_cache_name = "test-cequence-auth-token"
ssm_parameter_value = "{\"token\": \"eyJhbGciOiJSUz\", \"storage_time\": \"2024-10-05 09:49:42.629310-07:00\"}"
# Time-related settings
time_delay = "1"
time_zone = "America/Los_Angeles"
# EventBridge configuration
eventbridge_rule_name = "cequence-plugin-log-scheduler"
eventbridge_schedule = "rate(1 minute)"
4. Initialize Terraform
terraform init
5. Review the Execution Plan
terraform plan
6. Apply the Terraform Configuration
terraform apply
Confirm the action by typing 'yes' when prompted.
7. Verify the Installation
Login to your UAP dashboard to view details of the requests sent to your API
Post-Installation
- The Lambda function will now run every minute, aggregating logs from the specified API Gateway.
- Monitor the CloudWatch Log Group
/aws/lambda/cequence-log-aggregator
for Lambda function logs.
- The API Gateway logs will be in the log group
API-Gateway-Execution-Logs_[API_ID]/[STAGE]
Cleanup
To remove all created resources, issue the following command:
terraform destroy
Confirm the action by entering 'yes' when prompted.
Notes
- The Lambda function uses environment variables for configuration. Review and adjust these in the 'aws_lambda_function' resource if needed.
- The template assumes an existing API Gateway. Make sure to provide the correct 'existing_api_gateway_id' to configure it.