Wallarm Connector for Amazon API Gateway (API Discovery)¶
The Wallarm Connector for Amazon API Gateway automatically builds an API inventory from real traffic by relying on CloudWatch logs.
How it works¶
This connector does not inspect or block malicious requests. Instead, it uses a Lambda function to monitor CloudWatch logs from API Gateway, parse the log data, and forward relevant metadata to a Wallarm Native Node running on Amazon Elastic Container Service (Amazon ECS). The result is your API inventory.
Terraform deployment¶
The Terraform configuration automatically deploys all AWS resources required for the Wallarm Connector for Amazon API Gateway. It sets up a complete environment that connects Amazon API Gateway logs to the Wallarm Native Node for API Discovery.
Wallarm Native Node in ECS¶
Terraform deploys a Wallarm Native Node as an ECS service.
Key components include:
-
VPC integration – the Node runs in private subnets within a VPC that also contains public subnets for the Application Load Balancer (ALB)
-
ECS Cluster – manages the containerized Node workload
-
ECS Service – runs the Node container image (
wallarm/node-native-aio) using the EC2 launch type -
Application Load Balancer (ALB) – exposes the Node endpoint via HTTPS and routes requests from the Lambda function to ECS tasks
-
ACM Certificate – provides TLS encryption for the ALB endpoint
-
(Optional) Route 53 Record – assigns a DNS name to the ALB for easier access
-
AWS Cloud Map (Service Discovery) – enables internal name resolution for the Node service within the VPC
AWS Lambda for log processing¶
Terraform creates a Lambda function (cw-resend-lambda/) that:
-
Subscribes to Amazon CloudWatch Logs from API Gateway
-
Parses API Gateway log entries and extracts API metadata
-
Forwards structured metadata to the Wallarm Node via the ALB
-
Configures the following environment variables for Node communication:
X_WALLARM_APPLICATION_ID— Wallarm Application IDX_NODE_URL— Native Node ALB DNS nameX_NODE_SCHEME— Native Node protocol (HTTP or HTTPS)
All IAM roles and permissions required for Lambda execution and CloudWatch access are automatically provisioned.
CloudWatch log delivery integration¶
Terraform configures CloudWatch to serve as the communication channel between API Gateway and the Lambda function:
-
Creates or reuses a CloudWatch log group for API Gateway
-
Adds a log subscription filter to stream new log events to the Lambda function
-
Grants permissions for CloudWatch to invoke the Lambda function
-
Configures IAM permissions for log processing
This enables near real-time delivery of API Gateway traffic logs for processing.
Limitations¶
At the moment, this connector does not detect or monitor attacks. Its primary purpose is to build your API inventory using the API Discovery feature.
Requirements¶
To proceed with the deployment, ensure that the following requirements are met:
-
API deployed in Amazon API Gateway
-
Understanding of AWS CloudFront and Amazon API Gateway technologies
-
AWS CLI configured with the necessary permissions
-
Terraform version 1.0 or later
Deployment¶
1. Prepare a Wallarm token¶
To install the Node, you will need a token for registering the Node in the Wallarm Cloud. To prepare a token:
-
Open Wallarm Console → Settings → API tokens in the US Cloud or EU Cloud.
-
Find or create an API token with the
Node deployment/Deploymentusage type. -
Copy this token.
2. Create an IAM policy for Terraform to manage AWS resources¶
Go to the AWS Management Console and create the following IAM policy using the JSON editor:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:Create*",
"ec2:Delete*",
"ec2:Modify*",
"ec2:Associate*",
"ec2:Disassociate*",
"ec2:Attach*",
"ec2:Detach*",
"ec2:Replace*",
"ec2:Revoke*",
"ec2:Allocate*",
"ec2:AuthorizeSecurityGroup*",
"ec2:RunInstances",
"ec2:*Address"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:Create*",
"iam:Get*",
"iam:Pass*",
"iam:Delete*",
"iam:Add*",
"iam:Remove*",
"iam:List*",
"iam:Tag*",
"iam:Put*",
"iam:Attach*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:Create*",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:Modify*",
"elasticloadbalancing:Delete*",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:RegisterTargets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:Create*",
"logs:Put*",
"logs:Describe*",
"logs:Delete*",
"logs:List*",
"logs:Tag*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"route53:*HostedZone",
"route53:Change*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:Get*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"lambda:Create*",
"lambda:Update*",
"lambda:Delete*",
"lambda:Get*",
"lambda:GetFunction",
"lambda:List*",
"lambda:Invoke*",
"lambda:Publish*",
"lambda:Add*",
"lambda:Remove*",
"lambda:Tag*",
"lambda:Untag*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecs:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"autoscaling:CreateAutoScalingGroup",
"autoscaling:Describe*",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup"
],
"Resource": "*"
}
]
}
3. Deploy Terraform¶
-
Contact sales@wallarm.com to get the Terraform configuration for the connector.
-
Copy the
terraform.tfvarsexample file: -
Edit the copied file and configure the following variables:
Required variables:
Variable Description Default wallarm_api_hostWallarm API server: us1.api.wallarm.comfor the US Cloudapi.wallarm.comfor the EU Cloud
api.wallarm.comwallarm_api_tokenWallarm API token created in Step 1. your-token-herex_wallarm_application_idWallarm application ID. -1Optional variables:
Variable Description Default regionAWS region where all resources will be deployed. us-east-1name_prefixResource name prefix (maximum 38 characters). api-gw-discoverynode_imageDocker image for the Native Node. wallarm/node-native-aionode_tagDocker image tag. latestnode_groupNode group identifier. api-gateway-api-discoveryr53_domain_nameTo enable secure HTTPS communication between AWS Lambda and the Native Node, define the Amazon Route 53 domain name. When both r53_domain_nameandnode_dns_nameare set, AWS Lambda will automatically use HTTPS to communicate with the Native Node using the configured domain name. An ACM SSL certificate will be automatically created and configured for the domain.""node_dns_nameTo enable secure HTTPS communication between AWS Lambda and the Native Node, define the Node DNS record name. When both r53_domain_nameandnode_dns_nameare set, AWS Lambda will automatically use HTTPS to communicate with the Native Node using the configured domain name. An ACM SSL certificate will be automatically created and configured for the domain.""api_gateway_log_group_nameLog group created by Amazon API Gateway for your API. "" -
Deploy the Terraform infrastructure:
-
Once your infrastructure is deployed, you will see the log groups artifacts created by Terraform (see the screenshot below).
Copy the
api_gateway_log_group_arnvalue. You will need it for the next step.
4. Configure CloudWatch API logging using the API Gateway console¶
-
In the main navigation panel, choose APIs, and then click the name of your API.
-
Go to Stages → your stage (e.g.,
prod), scroll down to the Logs and tracing section, and then click Edit. -
Under CloudWatch logs, select Errors and info logs and toggle on Custom access logging.
-
Under Access log destination ARN, paste the
api_gateway_log_group_arncopied in the previous step. -
In the Log format section, paste the following JSON log format (optimized to include only essential fields):
{ "requestId": "$context.requestId", "httpMethod": "$context.httpMethod", "path": "$context.path", "protocol": "$context.protocol", "status": "$context.status", "responseLength": "$context.responseLength", "requestTime": "$context.requestTime", "requestTimeEpoch": "$context.requestTimeEpoch", "responseLatency": "$context.responseLatency", "integrationLatency": "$context.integrationLatency", "integrationStatus": "$context.integrationStatus", "errorMessage": "$context.error.message", "stage": "$context.stage", "domainName": "$context.domainName", "sourceIp": "$context.identity.sourceIp", "userAgent": "$context.identity.userAgent" } -
Click Save.
See more details on configuring CloudWatch API logging using the API Gateway console.
5. Check the API Discovery inventory¶
If the infrastructure was deployed correctly, the API Discovery feature is automatically enabled.
Generate traffic to your API endpoints (e.g., using curl) to build the API inventory and populate the API Discovery dashboard.
Wallarm builds the API inventory only after receiving a sufficient number of requests for each endpoint.
If you have any issues, refer to the "Logs and troubleshooting" section.
Logs and troubleshooting¶
See common issues and their corresponding troubleshooting solutions below:
-
AWS Lambda is not receiving logs:
- Verify that the CloudWatch log subscription filter is created
- Check the Lambda IAM permissions for CloudWatch Logs
- Ensure that API Gateway is writing to the correct log group
-
The Native Node is not accessible:
- Check the ECS service status
- Check the Native Node logs
- Verify Application Load Balancer health checks
- Check the security group rules
-
API Discovery is not working:
- Verify environment variables in AWS Lambda
- Check the Native Node connectivity
- Check Wallarm API credentials
For troubleshooting, you can also review the following logs:
-
Native Node logs:
/opt/wallarm/var/log/wallarm/go-node.log -
Lambda Logs:
/aws/lambda/wallarm-cw-resend-{random_name} -
API Gateway Logs:
/aws/apigateway/wallarm-api-discovery-{random_name} -
ECS service logs in CloudWatch