Advance Your API Security with Amazon API Gateway & API Sentinel

June 24, 2020

API gateways are increasingly used to help accelerate new ventures or transform existing businesses. However, the People and Process components are not as mature, and as a result, some organizations have had to deal with attackers targeting their API endpoints. Cequence Security has recently released a new product, API Sentinel, to help organizations monitor traffic through their API gateways and reduce the risk of data leakage or business logic abuse by identifying risky APIs.

API gateways are not enough to keep APIs secure

An API gateway is a management tool or cloud service that lies between front-end clients and backend services. The gateway takes in all API calls, aggregates the services needed to fulfill them, and then returns the results to the requestor. Think of them as the waiter in the restaurant who takes the orders from customers, submits them to the kitchen, and then delivers the food and drinks once prepared.

API gateways are designed to be simple to implement, scalable, and flexible to meet the needs of different application requirements. While API gateways come with features to protect against volumetric attacks and implement some form of user authentication, attackers can get around these controls by slowing down their attacks and using compromised credentials.

API Sentinel delivers added critical functionality

Like most cloud services, API gateways are designed to be used by security-minded enterprises, and as such come with some security features built-in. The Amazon API Gateway has also been audited for use across several compliance frameworks to help speed the certification process of applications that rely on them.

The Amazon API Gateway offers many of the security features available with other services on AWS, including:

  • DDoS Protection from both layer 3 and layer 7 attacks
  • Audit Trail to track API changes via AWS CloudTrail
  • Role-based Access Control for creating and managing APIs

You can choose to implement rate limiting or additional user authentication to limit abuse, but APIs using these features are still susceptible to attacks. All of these tools and capabilities are user- and API-agnostic.

But, although API gateways are strong on managing APIs, they lack spec conformance and threat prevention functions. API Sentinel from Cequence Security provides additional necessary insights, including:

  • Identifying APIs being targeted by known malicious networks,
  • Providing risk scores for APIs that may be easily compromised or may leak sensitive data, and
  • Detecting anomalous activity that may indicate compromised credentials or tokens, or reconnaissance activity such as an enumeration attack,
  • Monitoring API endpoints for applications with regulatory requirements such as PCI or HIPAA

Tight integration with the API Gateways streamlines discovery

API Sentinel is designed to automatically enable and analyze Amazon CloudWatch logs for your Amazon API Gateway, ensuring all API transactions are monitored as new API endpoints are published and existing APIs are updated or changed as part of their application lifecycles. This is a role-based integration and does not require users to set up or manage data collection after the role is implemented, which helps to ensure no published API gets missed.

API visibility for everyone who needs it

API Sentinel provides much-needed runtime visibility to security and risk teams without requiring any intervention from the development teams.

Today, security teams and the team leading the digital transformation efforts for the organization (API COE, Application Modernization, Supply Chain Technology, Cloud Operations, etc.) benefit most from the visibility provided by API Sentinel. Once deployed in a cloud or on-premises environment, they will finally have a big picture view of all APIs, API activity, and API risk across their organization. This actionable information helps to guide conversations with development teams to improve the overall API security posture and lessen this increasingly vulnerable attack vector.

Want to get started?

Cequence Security is an Advanced Technology partner and one of the founding members of the APN Global Startup Program. And, API Sentinel was built to run on AWS from the start. If you’d like to try API Sentinel in your AWS environment you can get started today with a 30-day free trial.

API discoveryapi sentinelDeployment OptionsEcosystem Integration

About the Author

Vince Bryant

Senior Director of Business Development

It's a wrap on Black Hat 2022
12 August 2022

Black Hat 2022 — End-to-End Fun and API Security

Read More
Network IQ
9 August 2022

Network IQ: How the Largest API Threat Database Protects Your APIs

Read More
Ulta Beauty Reduce Costs - By Blocking API-based Enumeration Attacks
3 August 2022

Ulta Beauty Reduces Costs by Blocking API-based Enumeration Attacks

Read More
Unified API Security Bot Management
29 July 2022

Mergers and Acquisitions in API Security and Bot Management

Read More
API Threat Prevention
26 July 2022

API Threat Prevention and Comprehensive Protection: Part 3

Read More

Subscribe to our blog

Join us for our Weekly Webinar Series: API Best Practices Register now