API Protect: AWS Permission-less Onboarding

To observe  APIs built with a Lambda function in your AWS account, Data Theorem will generate a CloudFormation template that will run in the protected API’s AWS Account. For security reasons, Data Theorem will maintain a strict separation between DT and your AWS account. Accordingly,  we “hand-off” the template for you to execute in your environment without ever granting DT any access.

• Data Theorem will not have any new or additional access to your AWS account

• Data Theorem will not have any “Write” access in your AWS account

• Data Theorem will not have any IAM account, role, or permissions in your AWS account

Complete Onboarding Flow

Open

How We Use CloudFormation To Install API Protect

Clicking “Protect Now” on an API in the DT portal will generate a link to a CloudFormation Template that you will execute in your environment. The CF template does the following:

1. Create a role that can inspect the configuration of the lambdas to be protected

2. Create an install Lambda which will run once for the install

3. Grant the role to our install Lambda

4. Run the Lambda function to install the latest version of our Lambda Layer

At this point you may delete the CloudFormation stack. Deleting it will also delete the install Lambda and role.

What Install Requires

You will need the ability to login to the AWS console for the account containing the protected APIs. The user you login with must be able to create CloudFormation stacks and Lambdas.