Levo.ai’s Integration with AWS API Gateway now helps you prevent breaches

APIs, as transformative as they are, require a unique approach to security. Industry leaders like AWS have been at the forefront of introducing robust solutions like the AWS API Gateway.

The adoption of microservices architecture has driven enterprises to invest in API Gateways. Solutions like AWS API Gateway streamline backend processes such as client request handling, routing, data transformation, caching, logging, and load balancing, thereby freeing up developer resources.

However, ensuring API security and compliance is a shared responsibility between AWS and its clients. AWS offers features like IAM roles and policies to control API access. Typically, WAFs are integrated with these gateways to block volume-based attacks such as XSS, DDOS, and enumeration.

Yet, these measures alone are insufficient to cover the broad attack surface. API endpoints often have unique AuthN and AuthZ mechanisms, as well as critical business and application logic. Attackers can exploit these vulnerabilities during the reconnaissance phase without triggering WAF alerts.

TL;DR

AWS API Gateway streamlines backend operations but cannot fully secure your API surface alone. WAFs and IAM policies miss undocumented endpoints and unique API logic. Levo.ai integrates with AWS API Gateway to automatically discover, document, and inventory every API, capturing authentication status, sensitive data flows, and RBAC permissions for proactive security and PCI DSS compliance.

Levo’s Integration with AWS API Gateway:

At Levo.ai, we have developed an integration with AWS API Gateway that goes beyond generating false alerts. Our solution allows detailed instrumentation of your external API endpoints. For detailed instructions, refer to our documentation.

Our instrumentation, powered by Log and CloudFront Lambda, can automatically discover and document all APIs (internal, external, third-party) passing through the gateway.

Unlike surface-level scanning, our solution analyzes real-time traffic to provide an accurate reflection of deployed API endpoints, capturing granular details such as:

• Associated applications and functions
• AuthN status
• AuthZ status
• Updates on API modifications
• Data flows for each endpoint, including sensitive and PII data
• RBAC permissions
• Enforced policies
• User attribution

Maintaining an API inventory is essential for compliance (e.g., PCI DSS 6.3), but it is also crucial for security. To help your DevSecOps team understand the business and application logic of each endpoint, we provide a documentation portal with OpenAPI/Swagger specifications for each API endpoint, including:

• Version details
• Methods
• Endpoint URLs
• Parameters
• Authentication schemes
• Request and response bodies
• Status codes
• Error messages
• Data formats
• Changelogs

Postman collections are automatically generated for each endpoint to expedite your manual testing efforts.

Automated API Security Platform Levo.ai

Most API platforms integrating with AWS Gateway focus on attack detection, blocking, and incident response. This leads to the question: why do we offer an inventory portal?

Through customer interactions, we discovered a common issue: despite deploying multiple WAFs, load balancers, and rate limiters, many vulnerabilities remain unaddressed.

This stems from a flawed strategy of reacting to attacks instead of proactively preventing them through pre-production API testing. These shift-left initiatives have received massive support, with 78% of surveyed enterprises wanting to uncover vulnerabilities pre-production.

However, these initiatives often face obstacles. 55% of surveyed enterprises report difficulty with pre-production API testing due to a lack of bandwidth for manual testing and the inability of DAST tools to test APIs.

Even when API-specific testing tools are used, they quickly become unfeasible because of the lack of visibility into the API ecosystem. Many API-specific tools on the market require comprehensive and accurate documentation and inventory from the dev team, which is rarely maintained (something less than 30% of surveyed enterprises possess).

API visibility is so crucial it made it to the Top 10 OWASP API List.

OWASP API Security Guideline #9 - Improper Inventory Management warns enterprises about data/account theft and overexposure of sensitive data risks, often resulting from an incomplete or missing API inventory.

The guideline recommends maintaining an up-to-date and exhaustive API catalog, including API locations, functionalities, and associated security configurations.

A comprehensive API inventory not only aids robust testing but also discovers unknown, deprecated, and misconfigured endpoints before attackers do.

This is vital, particularly for endpoints handling sensitive data, as organizations lose $180 for each PII record stolen, with the average cost of a data breach being $4.35 million.

While we currently only integrate with AWS, integrations with many other Gateways are in the pipeline. Stay tuned!

Ready to maximize your investment in AWS API Gateway? Schedule a demo with us to learn how!

Conclusion

WAFs and IAM policies block common attacks but leave critical gaps. Undocumented endpoints and missing inventory make reactive defenses insufficient.

Levo.ai integrates directly with AWS API Gateway to automatically discover every API, map sensitive data flows, and generate accurate OpenAPI documentation. With the average breach costing $4.35 million, complete visibility is the foundation everything else depends on.

FAQs

Why is AWS API Gateway alone insufficient for API security?

It cannot secure undocumented endpoints, unique authentication mechanisms, or complex business logic without deeper API visibility beyond WAFs and IAM policies.

What does Levo.ai add to AWS API Gateway?

Automatic discovery of all APIs, real time OpenAPI documentation, and granular capture of authentication status, sensitive data flows, and RBAC permissions.

Why do pre production API testing initiatives fail?

Because 55% of enterprises lack accurate API documentation and inventory, making even purpose built testing tools ineffective without full ecosystem visibility.

What is OWASP API Security Guideline 9?

A warning against improper inventory management, recommending an exhaustive API catalog covering locations, functionalities, and security configurations to prevent data exposure.

How does Levo.ai support PCI DSS compliance?

By maintaining a comprehensive API inventory with OpenAPI specifications, authentication details, and sensitive data mapping that satisfies PCI DSS 6.3 requirements.

What details does Levo.ai capture per endpoint?

Authentication status, PII data flows, RBAC permissions, enforced policies, API modifications, and auto generated Postman collections for manual testing.