Skip to content

AWS API Gateway for wizard

You can connect the Wallarm Edge node to Amazon API Gateway to automatically build an API inventory from real traffic.

This connector does not inspect or block malicious requests. Instead, it uses a Lambda function to monitor CloudWatch logs from API Gateway, parse the log data, and forward relevant metadata to a Wallarm Native Node. The result is your API inventory.

Follow the steps below to set up the connection.

1. Create an IAM role with an IAM policy for Lambda

  1. Sign in to the AWS Management Console and go to Identity and Access Management (IAM).

  2. Create the following IAM policy using the JSON editor:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        }
    ]
}

  3. Go to Roles and click Create role.

  4. Select AWS service and Lambda for "Trusted entity type" and "Use case", respectively, and then click Next.

  5. On the "Add permissions" step, select the IAM policy you have created earlier, and click Next.

  6. Give your IAM role a recognizable name (e.g., WallarmAPIDiscoveryLambdaRole) and optionally edit the role's description.

  7. Click Create role.

2. Create a Lambda function

  1. Open the Functions page of the Lambda console and click Create function.

  2. Select Author from scratch.

  3. Give your function a recognizable name (e.g., wallarm-api-discovery-connector).

  4. Choose Python 3.13 and x86_64 under "Runtime" and "Architecture", respectively.

  5. Under "Permissions", expand Change default execution role, select Use an existing role, and then select the IAM role you created in Step 2 (WallarmAPIDiscoveryLambdaRole)

  6. Click Create function.

3. Configure the Lambda function

  1. Download the code bundle for Amazon API Gateway from the Wallarm Console.

  2. Extract the code bundle archive, open the cw-resend-lambda/lambda_function.py file, and copy its contents.

  3. In your Lambda function, go to the Code tab and paste the copied code into the "Code source" section.

  4. Click Deploy.

  5. Go to the Configuration tab → Environment variablesEdit.

  6. Click Add environment variable and specify the following environment variables for Node communication:

    • X_NODE_URL - Edge Node DNS name or IP address, including a port if necessary (e.g., node.example.com or 192.0.2.1).
    • X_NODE_SCHEME - set to https.

  7. Click Save.

  8. Go to the Configuration tab → General configurationEdit.

  9. Under "Timeout", set a value sufficient for processing a batch of logs (e.g., 30 seconds to 1 minute).

  10. Click Save.

4. Configure CloudWatch API logging using the API Gateway console

  1. Go to the API Gateway console.

  2. In the main navigation panel, choose APIs, then click the name of your API.

  3. Go to Stages → your stage (e.g., prod), scroll down to the Logs and tracing section, and then click Edit.

  4. Under CloudWatch logs, select Errors and info logs and toggle on Custom access logging.

  5. Under Access log destination ARN, specify the ARN of the CloudWatch log group where logs will be written.

    If the group does not exist, create it and copy the ARN. The ARN has the following format: arn:aws:logs:region:account-id:log-group:group-name.

  6. In the Log format section, paste the following JSON log format (optimized to include only essential fields):

    { "requestId": "$context.requestId", "httpMethod": "$context.httpMethod", "path": "$context.path", "protocol": "$context.protocol", "status": "$context.status", "responseLength": "$context.responseLength", "requestTime": "$context.requestTime", "requestTimeEpoch": "$context.requestTimeEpoch", "responseLatency": "$context.responseLatency", "integrationLatency": "$context.integrationLatency", "integrationStatus": "$context.integrationStatus", "errorMessage": "$context.error.message", "stage": "$context.stage", "domainName": "$context.domainName", "sourceIp": "$context.identity.sourceIp", "userAgent": "$context.identity.userAgent" }

  7. Click Save.

5. Connect CloudWatch Logs to Lambda (subscription filter)

  1. Go to CloudWatch ConsoleLogsLog groups.

  2. Find and select the log group you have specified in the API Gateway console in Step 3.

  3. Click ActionsSubscription filtersCreate Lambda subscription filter.

  4. Select the Lambda function you have created in Step 3 (e.g., wallarm-api-discovery-connector).

  5. Under "Log format", select JSON.

  6. You can leave "Subscription filter pattern" empty or configure filtering if necessary.

  7. Under "Subscription filter name", specify a filter name (e.g., WallarmFilter).

  8. Click Start streaming.

By completing this step, you have linked the API Gateway log group to the Lambda function. The function will now start receiving and processing log events.

6. Check the API Discovery inventory

If the AWS infrastructure was deployed correctly, the API Discovery feature is automatically enabled.

Generate traffic to your API endpoints (e.g., using curl) to build the API inventory and populate the API Discovery dashboard.

Wallarm builds the API inventory only after receiving a sufficient number of requests for each endpoint.

More details