The API security module is an independent module of Web Application Firewall (WAF) and must be separately purchased. The API security module automatically sorts the API assets of services that are protected by WAF and detects API risks based on a built-in detection mechanism and custom detection policies. The risks include unauthorized access to APIs, exposure of sensitive data, and exposure of internal APIs. The module allows you to view API exception events in reports, check the compliance of cross-border data transfer, and trace sensitive data leaks. The module also provides suggestions for handling detected risks and references for API lifecycle management. You can identify and manage all API assets that are required by your services and improve API security throughout the entire data flow. This topic describes how to configure the API security module.
Introduction
In the digital economy era, enterprises face a rapidly changing environment that demands quick response to external changes. To enhance efficiency, enterprises must share data with third parties. The use of APIs to facilitate communication between systems is an important means for internal and external system integration within enterprises. An increasing number of enterprises are opening up their capabilities and resources by using API platforms to build industrial ecosystems. This way, partners can leverage freely available and high-quality resources for rapid integration and innovation, which helps promote the birth of the API economy and generate more value from data exchanges. An important task of enterprises is to provide a large number of API services and value-added data services. However, with the rapid development of APIs, risks are also increasing. Unauthorized access to APIs by attackers, configuration errors, and illegitimate API access requests can lead to sensitive data leaks. To mitigate the risks, WAF monitors APIs and visualizes traffic to automatically identify and categorize API assets, and establishes models for legitimate access requests. This enables prompt identification and response to abnormal API access and ensures a handling loop.
Core benefits
The API security module can automatically identify APIs and detect API risks and attacks to meet your core requirements.
Detects all APIs that are required by your business. The API security module supports custom detection policies to help your security team configure comprehensive security protection for all APIs.
Detects API risks, such as unauthorized access, weak passwords, and API designs that do not comply with security conventions.
Detects API attacks, such as sensitive data thefts, API data crawling, brute-force attacks, dictionary attacks, and message flooding. This allows you to handle attacks and avoid business loss at the earliest opportunity.
Check the API security status
Before you enable the API security module, you can use basic detection to obtain security information about your APIs, including Security Event Overview, Total API Assets, and Security Events. By default, the basic detection module is enabled for subscription WAF 3.0 instances free of charge. The basic detection module analyzes WAF logs offline and displays API asset statistics, abnormal event statistics, and the latest 10 abnormal API calls.
If you do not want to obtain basic detection data, you can skip this operation.
The basic detection module is unavailable for pay-as-you-go WAF 3.0 instances.
The display of the basic detection data and detection results may have latency. The detection capabilities of the basic detection module are not as strong as those of the API security module. As a result, the information obtained from the two modules may differ. The detection results of the API security module are more accurate.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
In the Basic Detection section, view basic detection data.
Security Event Overview: displays the total number of API security events, and the numbers of high-risk, medium-risk, and low-risk API security events.
API Asset Overview: displays the total number of API assets, the number of active APIs, and the number of deactivated APIs.
Security Events: displays the names, API paths, domain names, attack sources, and occurrence time of security events.
The basic detection module does not provide detailed data. If you want to view the number of APIs that transfer sensitive data or view risk details and risk handling suggestions for security events, you can enable the API security module. For more information, see Enable the API security module.
Feature description
The API security module automatically sorts the APIs of services that are protected by WAF and detects API security risks based on a built-in detection mechanism and custom detection policies. The module allows you to monitor cross-border transfers of sensitive data and trace sensitive data leaks. This can help you configure comprehensive management and security protection policies for your APIs. In addition to the statistics on the Overview tab, the API security module provides information on asset management, risks and events, compliance check and tracing and auditing, and policy configurations.
The asset management feature supports the query, statistics, and management of asset information.
The risks and events feature supports data query and statistics on risk detection, security events, and overall data.
If you want to transfer data to regions outside the Chinese mainland, you must apply to the national cyberspace administration through the local provincial cyberspace administration to arrange for a security assessment of the cross-border data transfer. You can use the compliance check and tracing and auditing features of the API security module to check and trace cross-border data transfer. The features are supported only in the Chinese mainland.
The policy configurations feature allows you to configure policies for risk detection, security events, sensitive data, authentication credentials, business purposes, lifecycle management, applicable objects, and log subscription. You can enable or disable the policies based on your business requirements. The feature supports built-in policies. You can also configure custom policies.
The following table describes the tabs on the API Security page and the features of the API Security module.
Tab | Feature | Description |
Overview | - | This tab displays API asset trends, risk trends, risky site statistics, attack trends, statistics on attacked sites, statistics on sensitive data types in requests, and statistics on sensitive data types in responses. |
Asset Management | Asset management | This feature analyzes access logs offline to automatically detect APIs and identify the reasons why APIs are called based on API characteristics. |
Risk Detection | Risks and events | This feature detects various security risks, such as unauthorized access and sensitive data leaks, and provides risk analysis results and suggestions on how to handle the security risks. |
Security Events | Risks and events | This feature monitors and analyzes API calls to quickly detect abnormal requests and attacks. |
Compliance Check | Compliance check and tracing and auditing | The compliance check feature identifies risks that are associated with cross-border data transfer operations based on the Measures for the Security Assessment of Outbound Data Transfer. The API security module checks the compliance of transfer operations in the following scenarios:
|
Tracing and Auditing | Compliance check and tracing and auditing | The tracing and auditing feature performs cross-validation on security events by using logs and sensitive data samples when sensitive data security events occur. |
Policy Configurations | Policy configurations | This feature supports built-in detection policies and allows you to configure custom detection policies. This increases the detection accuracy and recall rate of the API security module. You can also enable other features of the API security module for specific protected objects. |
Enable the API security module
Preparations
A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
The API security module is unavailable for protected objects that are added after you add Microservices Engine (MSE) instances or Function Compute-related domain names to WAF.
Procedure
Data computing and analysis are performed offline. The API security module does not actively detect APIs and does not affect your workloads.
The API security module detects responses that have specific characteristics and determines whether data leaks occurred. After you enable the API security module, WAF is authorized to analyze the responses. Enable the API security module based on your business requirements.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
Enable the API security module.
Apply for a free trial of the API security module
NoteYou can apply for a free trial of the API security module only if you use a WAF Pro, Enterprise, or Ultimate instance. Each Alibaba Cloud account can apply for the free trial only once.
The free trial is valid for seven days. The security analysis results that are generated during the trial period are available only during the trial period. If you want to retain the security analysis results, enable the API security module before the trial period ends.
On the API Security page, click Try Now. On the page that appears, fill out the application and click Submit.
After Alibaba Cloud engineers receive your trial application, they will contact you within one week based on the contact information that you submit to confirm information that is related to your application. After your trial application is approved, the API security module is automatically enabled for your WAF instance.
Enable the API security module
On the API Security page, click Enable Now.
In the Enable Now panel, set the API Security parameter to Enable, click Buy Now, and then complete the payment.
View API security data
On the Overview tab of the API Security page, you can view the following information: API Asset Trend, Risk Trend, Risky Site Statistics, Attack Trend, Statistics on Attacked Sites, Statistics on Request Sensitive Data Types, and Statistics on Response Sensitive Data Types. The default statistical period is 30 days.
Supported query and filter operations
In the API Asset Trend, Risk Trend, and Attack Trend sections, you can click a legend item such as Total API Assets and Active APIs below a chart to filter data and view the data that you are interested in.
In the Risky Site Statistics, Statistics on Attacked Sites, Statistics on Request Sensitive Data Types, and Statistics on Response Sensitive Data Types sections, you can sort data in ascending or descending order.
To view more information about risk detection, you can click More in the upper-right corner of the Risky Site Statistics section to go to the related tab. You can also click a number in the section to go to the related tab and view detailed data that meets the filter conditions.
To view more information about security events, you can click More in the upper-right corner of the Statistics on Attacked Sites section to go to the related tab. You can also click a number in the section to go to the related tab and view detailed data that meets the filter conditions.
To view more information about asset management, you can click More in the upper-right corner of the Statistics on Request Sensitive Data Types or Statistics on Response Sensitive Data Types section. You can also click a number in the section to go to the related tab and view detailed data that meets the filter conditions.
FAQ
You can use CloudMonitor to configure monitoring and alerting for API security events. This allows WAF to send alert notifications to you when high-risk events are detected and helps you monitor the status of your API assets. For more information, see Configure CloudMonitor notifications.