Skip to content

API Gateway Key

Service Name: API Gateway

Service Description: API Gateway is a service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. It acts as a "front door" for applications to access data, business logic, or functionality from backend services.

Service Address: This varies by cloud provider (AWS, Azure, Google Cloud, etc.) as many offer API Gateway services.

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the API Gateway level to limit which IP addresses or ranges can access your APIs.

Secret Access Scope: Grants access to specific API endpoints and resources as defined by the API Gateway configuration. The scope depends on what APIs the key is authorized to access.

Secret Revokement URL: Varies by provider. For example: - AWS: https://docs.aws.amazon.com/apigateway/latest/developerguide/api- gateway-setup-api-key-with-console.html - Azure: https://learn.microsoft.com/en-us/azure/api-management/api- management-howto-create-subscriptions

Secret Example: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

Suspicious Activity Investigation Instructions:

  • Review API Gateway logs for unusual request patterns or volumes
  • Check for access from unexpected geographic locations or IP addresses
  • Monitor for unusual API call rates or patterns that differ from normal usage
  • Look for attempts to access unauthorized endpoints or resources

  • Examine request headers and parameters for signs of injection attacks or

malicious payloads

Mitigation Instructions:

  • Immediately revoke the compromised API key through your provider's management console
  • Generate a new API key with appropriate permissions
  • Update all legitimate applications to use the new API key
  • Implement more restrictive access policies (IP restrictions, rate limiting)
  • Consider implementing additional authentication methods like OAuth 2.0 or JWT
  • Review and update API Gateway logging and monitoring settings
  • Implement API request validation to prevent malicious inputs