Amazon API Gateway
Amazon API Gateway by Amazon Web Services (AWS) enables you to create, publish, maintain, monitor, and secure REST, HTTP, and WebSocket APIs at any scale. You can bring API endpoint data from Amazon API Gateway into Brinqa to gain a unified view of your attack surface, thus strengthening your cybersecurity posture. The connector captures both REST APIs (API Gateway v1) and HTTP/WebSocket APIs (API Gateway v2), including per-method and per-route authorization visibility and derived flags that identify APIs with anonymous public access.
This document details the information you must provide for the connector to authenticate with Amazon API Gateway and how to obtain that information from Amazon. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Amazon API Gateway from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate Amazon API Gateway with Brinqa:
-
Access key ID and Secret access key: The access keys associated with the AWS account. The account must have the required read-only permissions for API Gateway. For additional information, see Create an IAM user for AWS access.
-
Default region: The AWS region for the connector. If not specified, the connector uses the AWS Default Region Provider Chain to automatically determine the most appropriate region. For additional information on the AWS Default Region Provider Chain, refer to the AWS documentation.
Create an IAM user for AWS access
The connector authenticates using the AWS SDK's credential resolution chain. If an assume-role ARN is configured, the connector assumes that IAM role using the provided credentials. Otherwise, it uses the provided access keys directly, falling back to the AWS Default Credential Provider Chain (environment variables, ~/.aws/credentials, or EC2 instance metadata).
The IAM user or role must have the following permissions:
apigateway:GET
apigatewayv2:GET
Additional settings
The Amazon API Gateway connector contains additional options for specific configuration:
- Assume role ARN: ARN of an IAM role to assume. Comma-separated to assume multiple roles in the same sync.
- Session duration: Assume-role session duration in seconds. The default setting is 3600.
- Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
- Parallel requests: The maximum number of parallel API requests. The default setting is 8.
- Maximum retries: The maximum number of times that the integration attempts to connect to the Amazon API Gateway API before giving up and reporting a failure. The default setting is 10.
Types of data to retrieve
The Amazon API Gateway connector can retrieve the following types of data from the Amazon API Gateway API:
Table 1: Data retrieved from Amazon API Gateway
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| ApiGatewayHttpApi | Yes | API Endpoint |
| ApiGatewayRestApi | Yes | API Endpoint |
For detailed steps on how to view the data retrieved from Amazon API Gateway in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
ApiGatewayHttpApi
Table 2: ApiGatewayHttpApi attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
Api.apiId | API_ID |
Api.name | API_NAME |
Constant AWS | CLOUD_PROVIDER |
Api.description | DESCRIPTION |
Api.disableExecuteApiEndpoint | DISABLE_EXECUTE_API_ENDPOINT |
Api.createdDate | FIRST_SEEN |
Generated (true when any route tuple ends in :NONE) | HAS_PUBLIC_ROUTE |
| Sync timestamp | LAST_CAPTURED |
Api.name (falls back to apiId) | NAME |
Api.protocolTypeAsString() | PROTOCOL_TYPE |
| Sync region | REGION |
Derived from GetRoutes (ROUTE-KEY:AUTH-TYPE tuples) | ROUTES |
Api.tags (rendered as key:value) | TAGS |
{region}:{Api.apiId} | UID |
Api.apiEndpoint | URL |
Api.version | VERSION |
ApiGatewayRestApi
Table 3: ApiGatewayRestApi attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
RestApi.id | API_ID |
RestApi.name | API_NAME |
Constant AWS | CLOUD_PROVIDER |
RestApi.description | DESCRIPTION |
RestApi.disableExecuteApiEndpoint | DISABLE_EXECUTE_API_ENDPOINT |
RestApi.endpointConfiguration.typesAsStrings() | ENDPOINT_TYPES |
RestApi.createdDate | FIRST_SEEN |
Generated (true when any method tuple ends in :NONE) | HAS_PUBLIC_METHOD |
| Sync timestamp | LAST_CAPTURED |
Derived from GetResources (HTTP-METHOD PATH:AUTH-TYPE tuples) | METHODS |
RestApi.name (falls back to id) | NAME |
| Sync region | REGION |
RestApi.policy | RESOURCE_POLICY |
RestApi.tags (rendered as key:value) | TAGS |
{region}:{RestApi.id} | UID |
RestApi.version | VERSION |
Operation options
The Amazon API Gateway connector does not support operation options at this time.
APIs
The Amazon API Gateway connector uses the Amazon API Gateway REST API and the Amazon API Gateway v2 API. Specifically, it uses the following endpoints:
Table 4: Amazon API Gateway API endpoints
| Connector Object | API Endpoint |
|---|---|
| ApiGatewayHttpApi | apigatewayv2:GetApisapigatewayv2:GetRoutes |
| ApiGatewayRestApi | apigateway:GetRestApisapigateway:GetResources (with embed=methods) |
Changelog
The Amazon API Gateway connector has undergone the following changes:
This connector is part of a bundled release with other connectors from the same vendor. If a version shows "No change", it means that the connector version was updated for consistency as part of the bundle, but no functional changes were made to this specific connector. You can update to or skip this version without affecting your existing configuration.
Table 5: Amazon API Gateway connector changelog
| Version | Description | Date Published |
|---|---|---|
| 3.1.0 | Initial Integration+ release. | June 1st, 2026 |