Package: Invicti AppSec Core (on-demand)
Amazon API Gateway
Invicti AppSec Core can connect to Amazon API Gateway using AWS IAM role assumption to automatically import Swagger 2 and OpenAPI 3 specifications into your API catalog.
This document explains how to configure the IAM role permissions and set up the Amazon API Gateway source in Invicti AppSec Core.
Why this matters
If your APIs are deployed on Amazon API Gateway, you already have a central registry of what's exposed. Connecting it to Invicti AppSec Core means your API catalog stays in sync automatically, so every new API you deploy is available for security scanning without any manual tracking.
Prerequisites
Before you begin, make sure your AWS IAM role has the following permissions:
sts:AssumeRolests:GetAccessKeyInfosts:GetCallerIdentityapigateway:GET
Step 1: Update IAM role permissions
-
In the AWS Console, go to IAM > Roles.
-
Select the role you want Invicti AppSec Core to use.
-
Go to the Trust relationships tab and click Edit trust policy.
-
Add a new statement that grants
sts:AssumeRoleaccess. Use the ARN format:arn:aws:iam::<ACCOUNT_ID>:role/<ROLE> -
Save the updated trust policy.
Step 2: Configure Amazon API Gateway in Invicti AppSec Core
-
Select Discovery > API sources from the left-side menu.
-
Click Add source.
-
Select the Amazon API Gateway source type card.
-
Click Continue.
-
Paste the IAM role ARN in the Assume role field.
-
Enter the stage names where your APIs are deployed.
Stage names are requiredIf you don't enter stage names, APIs aren't fully imported into the catalog.
-
Select the AWS regions where your APIs are deployed.
-
Click Authenticate and save.
Step 3: Synchronize
To run an immediate sync, click the sync icon next to the source on the API sources page.
Invicti AppSec Core automatically synchronizes with Amazon API Gateway every 24 hours.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center