Integrating Amazon API Gateway with Acunetix 360

This feature is available with Invicti API Security Standalone or Bundle

Integrating Amazon API Gateway with Acunetix 360 allows you to fetch Swagger2 and OpenAPI3 specification files from Amazon API Gateway and provide them as inputs to our DAST scanners. The imported specification files are used to build an inventory of API endpoints that can be scanned for vulnerabilities.

This document explains how to set up an integration between Amazon API Gateway and Acunetix 360.

PREREQUISITES: Create an IAM role for accessing your APIs with the following permissions:

  • sts:AssumeRole
  • sts:GetAccessKeyInfo
  • sts:GetCallerIdentity
  • apigateway:GET

How to integrate Acunetix 360 with Amazon API Gateway

This integration has three steps. Before following these steps, ensure you have configured AWS according to the prerequisites listed above.

NOTE: Only Swagger2 and OpenAPI3 specification files will be imported.

This integration uses the AWS Identity and Access Management (IAM) authentication mechanism. This method controls API access using AWS IAM roles and policies.

Step 1: Update your IAM role permissions

In order for Acunetix 360 to successfully fetch your Swagger2 and OpenAPI3 specification files from Amazon API Gateway, you need to add a trusted policy to the IAM role that Acunetix 360 will be allowed to use. Follow the steps below to update your IAM role with the necessary permissions.

  1. Log in to Acunetix 360.
  2. Select APIs > Sources from the left-side menu.

  1. Click Add new source.

  1. Select AWS as the source type, then click the copy icon for the Account Id field.

  1. In a new browser tab or window, log in to the AWS IAM Console.
  2. Navigate to IAM > Roles.
  3. Select the role that will be used by Acunetix 360. 
  4. Select the Trust relationships tab, then click Edit trust policy.

  1. Click + Add new statement.

  1. In the Access level - read or write section, select Assumerole, then click Add.

  1. In the Add principal dialog, use the Principal type drop-down to select IAM Roles.

  1. In the ARN field, paste the Account Id that you previously copied from Acunetix 360 into the Account space.
  2. Switch to your Acunetix 360 tab or window and click the copy icon for the Role field.

  1. Return to the AWS IAM Console and paste the Role information into the ARN field where it indicates RoleNameWithPath.
  • The ARN field should now look like this: arn:aws:iam::<ACCOUNT_ID>:role/<ROLE>
  1. Select and copy the whole ARN field string for use in the next section below.
  2. Click Add principal.

Your IAM role now has the necessary permissions to configure the Amazon API Gateway import in Acunetix 360. To do so, follow the instructions in the next section of this document.

Step 2: Configure the Amazon API Gateway import in Acunetix 360

After adding the necessary permissions to your IAM role, you are now ready to set up the API integration in Acunetix 360. Follow the steps below to configure your Amazon API Gateway import in Acunetix 360 to establish a read-only connection.

  1. Log in to Acunetix 360.
  2. Select APIs > Sources from the left-side menu.

  1. Click Add new source.

  1. Enter a name for the API integration and select AWS as the source type.

  1. Scroll down to the Assume Role field and paste the string that you copied from the ARN field in the AWS IAM Console (arn:aws:iam::<ACCOUNT_ID>:role/<ROLE>). 
  2. In the Stage Names field, enter all the stage names for your APIs, separated by commas. Stage Names are configured in Amazon API Gateway when you deploy an API.

IMPORTANT: If you do not provide every stage name where your APIs are deployed, Acunetix 360 will not be able to fetch your Swagger2 and Open API3 spec files from Amazon API Gateway. Similarly, if no stage name is provided, your APIs are not fully deployed, and therefore, Acunetix 360 cannot see them.   

  1. In the Regions field, use the drop-down to select all the regions where your AWS sources are located.
  2. Click Authenticate and Save.

Your Amazon API Gateway integration is now displayed on the APIs > Sources page.

Step 3: Synchronize the API import

  1. On the APIs > Sources page in Acunetix 360, click the sync icon to start importing your API specification files from Amazon API Gateway into your Acunetix 360 API Inventory.

  1. When the sync is complete, your API specification files will be displayed on the API Inventory page in Invicti Enterprise. From this page, you can link your API specification files to targets so they can be scanned for vulnerabilities. For more information, refer to Linking and unlinking discovered APIs to targets.

Amazon API Gateway is now integrated with Acunetix 360. After the initial synchronization, the integration will automatically sync your API specifications once every 24 hours.

NOTE: To synchronize API specifications on demand, click the sync icon on the APIs > Sources page. To disable automatic synchronization, click the toggle in the Sync Automatically column on the APIs > Sources page.


« Back to the Acunetix Support Page