This page applies to Apigee, but not to Apigee hybrid.
View Apigee Edge documentation.
Advanced API Security continually monitors your APIs to protect them from security threats, including attacks from malicious clients and abuse. Advanced API Security analyzes your API traffic to identify suspicious API requests, and provides tools that can block or flag those requests. In addition, Advanced API Security evaluates your API configurations to ensure they meet security standards, and gives you recommendations for improving them if needed.
If you are an Apigee Pay-as-you-go customer, Advanced API Security is available as a paid add-on. This topic describes how to enable and manage the Advanced API Security add-on for eligible Pay-as-you-go environments. For more information on using Advanced API Security after the add-on is enabled in your Apigee environments, see Overview of Advanced API Security.
Availability
Advanced API Security is available as a paid add-on capability that is managed for each Apigee environment in your Apigee implementation. The add-on can be enabled in any Apigee Intermediate or Comprehensive environment. You cannot enable and use Advanced API Security in Base environments. For more details on Apigee environment capabilities, see Comparison of environment types.
Required roles and permissions
To get the permissions that you need to manage the Advanced API Security add-on,
ask your administrator to grant you the
Apigee Environment Admin (apigee.environment.admin
)
IAM role on the project.
For more information about granting roles, see Manage access to projects, folders, and organizations.
This predefined role contains the permissions required to manage the Advanced API Security add-on. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to manage the Advanced API Security add-on:
-
apigee.addonsconfig.get
-
apigee.addonsconfig.update
You might also be able to get these permissions with custom roles or other predefined roles.
After the add-on is enabled, additional roles may be required to perform tasks using Advanced API Security. For more information, see Required roles.
Enable the Advanced API Security add-on
You can enable the Advanced API Security add-on for an Intermediate or Comprehensive Apigee environment using the Apigee UI in the Google Cloud console or using the API, as described in the following sections.
Apigee in Google Cloud console
To enable the Advanced API Security add-on in the Google Cloud console:
- Open the Apigee page in the console.
- Select the project with the Pay-as-you-go organization and environments you wish to manage.
- Select Add-ons > Advanced API Security to open the Advanced API Security add-on page.
- In the Manage Advanced API Security add-on pane, select the checkbox for the environment (or environments) where you want to enable the add-on.
- Click Enable selected.
- When enablement is complete for the selected environments, the environment Status will display Enabled.
- Select Advanced API Security to view page options for using your security data, including Risk assessment, Abuse detection, Security reports, and Security actions. It may take up to 10 minutes to display the Advanced API Security data.
Apigee API
To enable the Advanced API Security add-on using the Apigee API, enter the following command:
curl -X POST \ https://apigee.googleapis.com/v1/organizations/ORG_NAME/environments/ENV_NAME/addonsConfig:setAddonEnablement \ -H "Authorization: Bearer $token" \ -H "Content-type: application/json" \ -d '{"apiSecurityEnabled":true}'
Where:
- ORG_NAME is the name of the Apigee Pay-as-you-go organization where you want to add Advanced API Security to eligible environments.
- ENV_NAME is the name of the Apigee environment where you wish to enable the Advanced API Security add-on.
Once enablement completes, click Advanced API Security to view page options for using your security data, including Risk assessment, Abuse detection, Security reports, and Security actions. It may take up to 10 minutes to display the Advanced API Security data in the UI, or be available via an API call.
The Advanced API Security add-on enablement process can take up to 15 minutes. Once enabled, security data for the environment is retained for 14 months. You can access the environment's historic data from the Advanced API Security pages in the console as long as the add-on is enabled.
Billing for use of the Advanced API Security add-on begins once add-on enablement begins.
Disable the Advanced API Security add-on
You can disable the Advanced API Security add-on for an Intermediate or Comprehensive Apigee environment using the Apigee UI in the Google Cloud console or using the API, as described in the following sections.
Apigee in Cloud console
To disable the Advanced API Security add-on in the Google Cloud console:
- Open the Apigee page in the console.
- Select the project with the Pay-as-you-go organization and environments you wish to manage.
- Select Add-ons > Advanced API Security to open the Advanced API Security add-on page.
- In the Manage Advanced API Security add-on pane, select the checkbox for the environment (or environments) where you want to disable the add-on.
- Click Disable selected.
- When disablement completes, the Status will display Disabled for each environment.
Apigee API
To disable the Advanced API Security add-on using the Apigee API, enter the following command:
curl -X POST \ https://apigee.googleapis.com/v1/organizations/ORG_NAME/environments/ENV_NAME/addonsConfig:setAddonEnablement \ -H "Authorization: Bearer $token" \ -H "Content-type: application/json" \ -d '{"apiSecurityEnabled":false}'
Where:
- ORG_NAME is the name of the Apigee Pay-as-you-go organization where you want to disable Advanced API Security in eligible environments.
- ENV_NAME is the name of the Apigee environment where you wish to disable the Advanced API Security add-on.
View Advanced API Security add-on status in an environment
You can check the status of the Advanced API Security add-on for an Intermediate or Comprehensive Apigee environment using the Apigee UI in the Google Cloud console or using the API, as described in the following sections.
Apigee in Google Cloud console
To view the status of the Advanced API Security add-on in an environment using the Google Cloud console:
- Open the Apigee page in the console.
- Select the project with the Pay-as-you-go organization and environments you wish to manage.
- Select Add-ons > Advanced API Security to open the Advanced API Security add-on page.
- In the Manage Advanced API Security add-on pane, a list of environments displays.
- In the status column, you can see whether the add-on is Enabled or Disabled in each Intermediate or Comprehensive environment. Base environments do not display either status.
Apigee API
To view the status of the Advanced API Security add-on in an environment using the Apigee API, enter the following command:
curl -X GET \ https://apigee.googleapis.com/v1/organizations/ORG_NAME/environments/ENV_NAME/addonsConfig \ -H "Authorization: Bearer $token" \ -H "Content-type: application/json"
Where:
- ORG_NAME is the name of the Apigee Pay-as-you-go organization.
- ENV_NAME is the name of the Apigee environment.
The response returns an ApiSecurityConfig
object representing the current status of the add-on.
Manage your Advanced API Security data
Once the Advanced API Security add-on is enabled for an environment, security data for the environment is retained for 14 months. You can access the environment's previously generated security reports for the environment from the Security reports page in the console, but new reports cannot be created.
If you disable the Advanced API Security add-on in an environment, the security data for the environment is deleted after 30 days. If you re-enable the add-on in the same environment within 30 days of disablement, you can regain access to security data for the environment through the retention period of 14 months. No data is restored if the add-on is re-enabled for the environment after 30 days.
If you want to retain security reports for any environment beyond the 14-month retention period, we recommend exporting and saving your data in another location. You may also want to export your Advanced API Security data before disabling the add-on, or within the 30-day window after disablement. You can export your security reports using the Export button on the Security reports page in the console or download a report using the Security reports API.