The API security module is an independent module of Web Application Firewall (WAF) and requires separate payment. The API security module automatically sorts the APIs of services that are protected by WAF and detects API vulnerabilities based on a built-in detection mechanism and custom detection policies. These vulnerabilities include unauthorized access to APIs, exposure of sensitive data, and exposure of internal APIs. The module allows you to trace API exception events, check the compliance of cross-border data transfer, trace sensitive data by using reports, and fix detected vulnerabilities. The module also provides data for API lifecycle management to help you identify and manage all APIs that are required by your business and improve the security of the APIs throughout the entire process of data flow. This topic describes how to configure the API security module.
Introduction
In the era of digital economy, enterprises face a rapidly changing environment that demands quick responses to external changes. To enhance efficiency, enterprises must share data with third parties. The use of APIs to facilitate communication between systems is an important means for internal and external system integration within enterprises. An increasing number of enterprises are opening up their capabilities and resources by using API platforms to build industrial ecosystems. Partners can leverage open and high-quality resources for rapid integration and innovation, which helps promote the birth of the API economy and generate more value from data exchanges. Enterprises face the important task of providing a large number of API services and value-added data services. However, with the rapid development of APIs, risks are also increasing. Unauthorized access to APIs by attackers, configuration errors, and illegitimate API access requests can lead to sensitive data leaks. To mitigate these risks, WAF monitors APIs and visualizes traffic to automatically identify and categorize API services, and establishes models for legitimate access requests. This enables prompt identification and response to abnormal API access and ensures a secure and efficient system.
Core benefits
The API security module can automatically identify APIs and detect API vulnerabilities and attacks to meet your core requirements.
Detects all APIs that are required by your business. The API security module also supports custom detection policies to help your security team configure comprehensive security protection for all APIs.
Detects API vulnerabilities, such as unauthorized access, weak passwords, and API designs that do not comply with the security conventions.
Detects API attacks, such as sensitive data thefts, API data crawling, brute-force attacks, dictionary attacks, and message flooding. This helps you handle attacks to avoid business loss at the earliest opportunity.
Check the API security status
Before you enable the API security module, you can use basic detection to obtain security information about your APIs, including the overviews of security events and API assets. By default, basic detection is enabled for subscription WAF 3.0 instances. The basic detection module analyzes WAF logs offline and displays API asset statistics, abnormal event statistics, and the latest 10 abnormal API calls.
If you do not want to obtain basic detection data, skip this step.
Basic detection is unavailable for pay-as-you-go WAF 3.0 instances.
The display of the basic detection data and detection results may have a delay. The detection capabilities of the basic detection module are not as strong as those of the API security module. As a result, the information obtained from the two modules may differ. The detection results of the API security module are more accurate.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose .
In the Basic Detection section, view basic detection data.
Security Event Overview: displays the total number of API security events, and the number of high-risk, medium-risk, and low-risk API security events.
API Asset Overview: displays the total number of API assets, the number of active APIs, and the number of deactivated APIs.
Security Events: displays the names, API paths, domain names, attack sources, and occurrence time of the security events.
The basic detection module does not provide detailed data on API security and abnormal events. If you want to view the number of APIs that transfer sensitive data or view risk details and suggestions on how to handle security events, you can enable the API security module. For more information, see Enable the API security module.
Feature description
The API security module automatically sorts the APIs of services that are protected by WAF and detects API security risks based on a built-in detection mechanism and custom detection policies. The module allows you to monitor cross-border transfers of sensitive data and trace sensitive data leaks. This can help you configure comprehensive management and security protection policies for your APIs. In addition to the statistics on the Overview tab, the API security module also provides information on asset management, risks and events, compliance check and tracing and auditing, and security policy configuration.
The asset management feature supports the query, statistics, and management of asset information.
The risks and events feature supports data query and statistics on risk detection, security events, and overall data.
If you want to provide data to regions outside the Chinese mainland, you must apply to the national cyberspace administration for the security assessment of the cross-border data transfer through the local provincial cyberspace administration. You can use the compliance check and tracing and auditing features of the API security module to check and trace cross-border data transfer. The features are supported only in the Chinese mainland.
The policy configuration feature allows you to configure policies for risk detection, security events, sensitive data, authentication credentials, business purposes, lifecycle management, applicable objects, and log subscription. You can enable or disable the policies. In addition to the built-in policies, you can also configure custom policies.
The following table describes the seven features on four tabs.
Tab | Feature | Description |
Overview | - | Displays API asset trends, risk trends, risky site statistics, attack trends, statistics on attacked sites, statistics on request sensitive data types, and statistics on response sensitive data types. |
Asset Management | Asset management | Analyzes access logs offline to automatically detect APIs and identify the reasons why APIs are called based on API characteristics. |
Risk Detection | Risks and events | Detects various security risks, such as unauthorized access and sensitive data leaks, and provides risk analysis and suggestions on how to handle the security risks. |
Security Events | Risks and events | Monitors and analyzes API calls to quickly detect abnormal requests and attacks. |
Compliance Check | Compliance check and tracing and auditing | Identifies risks that are associated with cross-border data transfer operations based on the Measures for the Security Assessment of Outbound Data Transfer. The API security module checks the compliance of transfer operations in the following scenarios:
|
Tracing and Auditing | Compliance check and tracing and auditing | Performs cross-validation on security events by using logs and sensitive data samples when sensitive data security events occur. |
Policy Configurations | Policy configuration | Supports the configuration of custom detection policies based on business requirements. This increases the detection accuracy and recall rate of the API security module. This feature allows you to configure the API security module for a specific protected object. |
Enable the API security module
Preparations
A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
The API security module is unavailable for APIs of the Microservices Engine (MSE) and Function Compute resources that are protected by WAF.
Procedure
Data computing and analysis are performed offline. The API security module does not actively detect APIs and does not affect your workloads.
The API security module detects responses that have specific characteristics and determines whether data leaks occurred. After you enable the API security module, WAF is authorized to analyze the responses. Enable the API security module based on your business requirements.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose .
Enable the API security module.
Apply for a free trial of the API security module
NoteEach Alibaba Cloud account can apply for the free trial only once.
The free trial is valid for seven days. The security analysis results that are generated during the trial period are available only during the trial period. If you want to retain the security analysis results, enable the API security module before the trial period ends.
On the API Security page, click Try Now. On the page that appears, fill out the application and click Submit.
After Alibaba Cloud engineers receive your trial application, they will contact you within one week based on the contact information that you submit and confirm information that is related to your application. After your trial application is approved, the API security module is automatically enabled for your WAF instance.
Enable the API security module
On the API Security page, click Enable Now.
On the page that appears, set the API Security parameter to Enable, click Buy Now, and then complete the payment.
View API security data
On the Overview tab of the API Security page, you can view the following information: API Asset Trend, Risk Trend, Risky Site Statistics, Attack Trend, Statistics on Attacked Sites, Statistics on Request Sensitive Data Types, and Statistics on Response Sensitive Data Types. The default statistical period is 30 days.
Supported query operations
In the API Asset Trend, Risk Trend, and Attack Trend sections, you can click the legends such as Total API Assets and Active APIs below a chart to view the data that interests you.
In the Risky Site Statistics, Statistics on Attacked Sites, Statistics on Request Sensitive Data Types, and Statistics on Response Sensitive Data Types sections, you can sort the data in ascending or descending order.
To view more risk detection information, you can click More in the upper-right corner of the Risky Site Statistics section to go to the corresponding tab. You can also click a number in the section to go to the corresponding tab and view detailed data filtered by relevant conditions.
To view more information about security events, you can click More in the upper-right corner of the Statistics on Attacked Sites section to go to the corresponding tab. You can also click a number in the section to go to the corresponding tab and view detailed data filtered by relevant conditions.
To view more information about asset management, you can click More in the upper-right corner of the Statistics on Request Sensitive Data Types or Statistics on Response Sensitive Data Types section. You can also click a number in the section to go to the corresponding tab and view detailed data filtered by relevant conditions.
FAQ
You can use CloudMonitor to configure monitoring and alerting for API security events. This allows WAF to send alert notifications to you when high-risk events are detected and helps you monitor the status of your API assets at the earliest opportunity. For more information, see Configure CloudMonitor notifications.
For information about the capabilities of the API security module, see the following FAQs: