Amazon API Gateway is a fully managed AWS service for creating, publishing, maintaining, monitoring, and securing APIs at any scale. API Gateway acts as the entry point for applications that access data, business logic, or functionality from backend services.
Amazon API Gateway
API Gateway receives incoming requests from clients and routes each request to the appropriate backend service. API Gateway also generates detailed log entries for each request and response, including headers, body, query parameters, and other metadata relevant to Cequence Unified API Protection (UAP) platform analysis.
Amazon CloudWatch
Amazon CloudWatch receives log events from API Gateway and stores the events in log groups.
Note: Amazon CloudWatch imposes limits of 1 MB per batch and 5,000 transactions per second per region. Use the Service Quotas service to increase the transactions-per-second limit. The batch size limit cannot be increased.
Amazon EventBridge Scheduler
Amazon EventBridge Scheduler is a serverless event management service that triggers an AWS Lambda function at a scheduled interval. The scheduler triggers the Lambda function once per minute to fetch API Gateway log events.
AWS Lambda function
The Lambda function runs once per minute on the EventBridge Scheduler trigger. The Lambda function pulls API Gateway log entries from AWS CloudWatch, transforms the entries into the payload format used by the Cequence UAP platform, aggregates the entries over the preceding minute of activity, and posts the batch to the Cequence UAP platform for analysis.
The procedures in this article automate the Lambda function configuration by discovering all API gateways and their deployed stages, then configuring the required dependencies. A Terraform script provides this automation and can be applied to an individual AWS account.
Generating a client ID and client secret
Several Cequence components must authenticate to the Cequence UAP platform to transmit and receive data. The following procedure creates the authentication credentials required for this authentication.
- Log in to the UAP management portal. The URL takes the form
https://ui.<your-tenant-name>.<domain>. Replace <your-tenant-name> with the name of your Cequence tenant organization and replace <domain> with your domain name. - Navigate to General Settings > User Management. The User Management pane appears.
- Select the Clients tab.
- Select Add New Client. The new client dialog box appears.
- In the Client Name field, type the client name. This name becomes the client ID. Note the client ID for later use.
- Enable the Traffic Management toggle.
- (Optional) To change the token lifespan from the default of 1,800 seconds, type a whole number of seconds in the Token Lifespan field.
- Select Save. A dialog box appears displaying the client secret.
- Select the blue Copy icon to copy the secret to the clipboard, then select Close. The client list appears.
- Note the client secret value for later use. The UAP management portal does not display this value again.
Prerequisites
- An AWS account with sufficient permissions to manage API Gateway, Lambda, IAM, CloudWatch, EventBridge Scheduler, and EC2.
- Working APIs deployed to one or more stages in API Gateway (REST, HTTP, or both).
- An AWS CLI user with an access key and secret.
- Terraform CLI release 1.9.5 or later.
-
An AWS policy attached to the AWS CLI user (for example, named
iam_apigw_lambda_cloudwatch_eventbridge_cq_intregration) that permits the following actions.- Reading available regions.
- Creating, updating, and deleting IAM roles and policies used by API Gateway, Lambda, and EventBridge.
- Managing Lambda functions, CloudWatch Logs, API Gateway resources, and required S3 buckets.
- Managing CloudFormation stacks and reading AWS Organizations details when needed.
See the example policy in
docs/iam/example-user-iam-policy.json.
Setting up the Cequence and AWS API Gateway integration using Terraform
The following procedures set up the integration for REST and HTTP APIs using Terraform.
Step 1: Download and unzip the bundle
- Create a folder named
cequence_aws_apigwand place the downloaded.tar.gzfile into the folder. -
From the
cequence_aws_apigwfolder, run the following commands to extract the archive and make all scripts executable.tar -xvf cequence-aws-api-gateway-x.x.xxxxxxx.tar.gz cd cequence/scripts chmod +x *.sh
Step 2: Create the environment properties file
-
From the
cequence/scriptsdirectory, copy the example environment file.cp .env.example .env vi .env
- Edit the variables in
.envas needed. Variables not listed below can remain at their default values.
Remote S3 backend is supported for Terraform state (tfstate) and is enabled by default. The following table describes the key variables in the environment file.
| Variable | Description |
cequence_is_auth_enabled |
Enables authentication for Cequence API calls. When set to false, the client_id, client_secret, and auth_endpoint variables are not required. |
cequence_client_id |
OAuth2 client ID. Required when cequence_is_auth_enabled is true. |
cequence_client_secret |
OAuth2 client secret. Required when cequence_is_auth_enabled is true. |
cequence_auth_endpoint |
OAuth2 token endpoint URL. Required when cequence_is_auth_enabled is true. |
cequence_edge_endpoint |
Cequence Edge or Bridge endpoint that receives API transaction data. |
cequence_aws_regions |
AWS regions in which to enable the integration. Set to all to auto-discover all enabled regions, or supply a comma-separated list of region identifiers such as us-east-1,ap-southeast-1. |
cequence_is_aws_organization_deployment |
Set to true when accounts are managed using AWS Organizations. |
cequence_deployment_type |
Deployment tool. Set to terraform or cloudformation. |
cequence_log_level |
Lambda log level. Valid values: info, debug, trace. |
cequence_log_retention_days |
CloudWatch log retention period in days. Valid values: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365. |
cequence_rest_api_enabled |
Set to true to enable the REST API integration. |
cequence_http_api_enabled |
Set to true to enable the HTTP API integration. |
cequence_auto_discover_apis |
Set to true to discover APIs automatically. When set to false, use api-config.json to list the APIs to enable. |
are_rest_api_execution_logs_already_enabled |
Set to true if REST API execution logs are already enabled in your environment. When set to false, the integration enables execution logs for all REST APIs in the configured accounts and regions, and disables the logs on rollback. |
cequence_tf_state_remote |
Set to true to use an S3 remote backend for Terraform state. Default: false (local state). |
For the full list of variables with inline comments, see the .env.example file in the distribution bundle.
Step 3: Run the enable integration script
-
From the
cequence/scriptsdirectory, run the following command../enable_aws_apigw_integration.sh
The script scans all APIs in the AWS account and enables the integration for all deployed REST and HTTP APIs across all configured stages.
Verifying logs in the Cequence UAP platform
After the integration is enabled, Lambda statistics and batch processing behavior are visible in the Cequence UAP platform through the metrics the integration exposes. The following is an example of the statistics payload.
{
"log_group_count": 25,
"total_events_fetched": 3780000,
"total_transactions_parsed_from_streams": 223500,
"total_batches": 750,
"successful_batches": 750,
"failed_batches": 0,
"average_batch_size": 298,
...
}Disabling the integration
The following procedures describe the available options for disabling the integration.
Disable only the REST API integration
- In the
.envfile, setcequence_rest_api_enabled=false. - From the
cequence/scriptsdirectory, run./disable_aws_apigw_integration.sh.
Disable only the HTTP API integration
- In the
.envfile, setcequence_http_api_enabled=false. - From the
cequence/scriptsdirectory, run./disable_aws_apigw_integration.sh.
Disable both the REST API and HTTP API integrations
- In the
.envfile, set bothcequence_rest_api_enabled=falseandcequence_http_api_enabled=false. - From the
cequence/scriptsdirectory, run./disable_aws_apigw_integration.sh. The EventBridge cron scheduler is deleted, but other integration resources remain.
Destroy all integration artifacts
To remove all resources and artifacts created by the enable integration script, follow this procedure.
-
In the
.envfile, set the following values.cequence_rest_api_enabled=false cequence_http_api_enabled=false
-
From the
cequence/scriptsdirectory, run the following command../disable_aws_apigw_integration.sh --destroy
Note: The shell script is an interface to Terraform.
API limitations
HTTP APIs
Request and response bodies for HTTP APIs are not logged. The integration captures and sends only the following attributes to the Cequence UAP platform.
requestTimeEpoch, requestId, accountId, stage, instance_id, ip, host, http-version, http-method, uri-query-fragment, status-code
For details, see the AWS HTTP API logging variables documentation.
REST APIs
When a REST API request or response body exceeds 1 KB, the integration sends a truncation placeholder in place of the body. The placeholder format depends on the content type.
| Content type | Truncation placeholder |
| Form | cq_body_truncated=true |
| JSON | { "cq_body_truncated": "true" } |
| XML | <cq_body_truncated>true</cq_body_truncated> |
| SOAP | <soap:Body><cq_body_truncated>true</cq_body_truncated></soap:Body> |
| HTML | <div>cq_body_truncated: true</div> |
When a REST API request and response are truncated and cannot be fully captured, the integration adds the header "cq-discovery-only": "true" to the payload. The integration also adds this header to all HTTP API payloads, since HTTP API bodies are not available.
For HTTP API payloads, the integration sets the body to {"cq-endpoints-only": "true"}.
Troubleshooting
The following table describes a known error and its resolution.
| Error | Resolution |
"errorMessage": "Cannot find package 'undici' imported from /var/task/index.mjs" |
The Node module is not properly deployed in Lambda. Rebuild the deployment package (ZIP file) to include undici, then upload the package to Lambda again. |