Support
API Discovery

Integrating with Amazon API Gateway

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

This feature is available with Invicti API Security Standalone or Bundle

Integrating Amazon API Gateway with Invicti Enterprise allows you to fetch Swagger2 and OpenAPI3 specification files from Amazon API Gateway and provide them as inputs to our DAST scanners. The imported specification files are used to build an inventory of API endpoints that can be scanned for vulnerabilities.

This document explains how to set up an integration between Amazon API Gateway and Invicti Enterprise.

PREREQUISITES: Create an IAM role for accessing your APIs with the following permissions:

  • sts:AssumeRole
  • sts:GetAccessKeyInfo
  • sts:GetCallerIdentity
  • apigateway:GET

How to integrate Invicti Enterprise with Amazon API Gateway

This integration has three steps. Before following these steps, ensure you have configured AWS according to the prerequisites listed above.

NOTE: Only Swagger2 and OpenAPI3 specification files will be imported.

This integration uses the AWS Identity and Access Management (IAM) authentication mechanism. This method controls API access using AWS IAM roles and policies.

Step 1: Update your IAM role permissions

In order for Invicti Enterprise to successfully fetch your Swagger2 and OpenAPI3 specification files from Amazon API Gateway, you need to add a trusted policy to the IAM role that Invicti Enterprise will be allowed to use. Follow the steps below to update your IAM role with the necessary permissions.

  1. Log in to Invicti Enterprise.
  2. Select APIs > Sources from the left-side menu.

  1. Click Add new source.

  1. Select AWS as the source type, then click the copy icon for the Account Id field.

  1. In a new browser tab or window, log in to the AWS IAM Console.
  2. Navigate to IAM > Roles.
  3. Select the role that will be used by Invicti Enterprise. 
  4. Select the Trust relationships tab, then click Edit trust policy.

  1. Click + Add new statement.

  1. In the Access level - read or write section, select Assumerole, then click Add.

  1. In the Add principal dialog, use the Principal type drop-down to select IAM Roles.

  1. In the ARN field, paste the Account Id that you previously copied from Invicti Enterprise into the Account space.
  2. Switch to your Invicti Enterprise tab or window and click the copy icon for the Role field.

  1. Return to the AWS IAM Console and paste the Role information into the ARN field where it indicates RoleNameWithPath.
  • The ARN field should now look like this: arn:aws:iam::<ACCOUNT_ID>:role/<ROLE>
  1. Select and copy the whole ARN field string for use in the next section below.
  2. Click Add principal.

Your IAM role now has the necessary permissions to configure the Amazon API Gateway import in Invicti Enterprise. To do so, follow the instructions in the next section.

Step 2: Configure the Amazon API Gateway import in Invicti Enterprise

After adding the necessary permissions to your IAM role, you are now ready to set up the API integration in Invicti Enterprise. Follow the steps below to configure your Amazon API Gateway import in Invicti Enterprise to establish a read-only connection.

  1. Log in to Invicti Enterprise.
  2. Select APIs > Sources from the left-side menu.

  1. Click Add new source.

  1. Enter a name for the API integration and select AWS as the source type.

  1. Scroll down to the Assume Role field and paste the string that you copied from the ARN field in the AWS IAM Console (arn:aws:iam::<ACCOUNT_ID>:role/<ROLE>).
  2. In the Stage Names field, enter all the stage names for your APIs, separated by commas. Stage Names are configured in Amazon API Gateway when you deploy an API.

IMPORTANT: If you do not provide every stage name where your APIs are deployed, Invicti will not be able to fetch your Swagger2 and Open API3 spec files from Amazon API Gateway. Similarly, if no stage name is provided, your APIs are not fully deployed, and therefore, Invicti cannot see them.   

  1. In the Regions field, use the drop-down to select all the regions where your AWS sources are located.
  2. Click Authenticate and Save.

Your Amazon API Gateway integration is now displayed on the APIs > Sources page.

Step 3: Synchronize the API import

  1. On the APIs > Sources page in Invicti Enterprise, click the sync icon to start importing your API specification files from Amazon API Gateway into your Invicti Enterprise API Inventory.

  1. When the sync is complete, your API specification files will be displayed on the API Inventory page in Invicti Enterprise. From this page, you can link your API specification files to targets so they can be scanned for vulnerabilities. For more information, refer to Linking and unlinking discovered APIs to targets.

Amazon API Gateway is now integrated with Invicti Enterprise. After the initial synchronization, the integration will automatically sync your API specifications once every 24 hours.

NOTE: To synchronize API specifications on demand, click the sync icon on the APIs > Sources page. To disable automatic synchronization, click the toggle in the Sync Automatically column on the APIs > Sources page.