API Service Graph Connector for AWS API Gateway - Setup InstructionsAWS API Gateway has two sets of API inventory. REST APIs are gathered with one set of queries, and HTTP and Websocket APIs are gathered with a second set of queries. This integration collects both sets of inventory. To setup the connection, an access key and secret key for an IAM user is needed. Another requirement is to have an IAM role defined for the user to assume the role that can make queries to gather the APIs. Below is an example role that can be defined in AWS and used in the setup of the connector. { "Version": "2012-10-17", "Statement": [ { "Sid": "ServiceNowAPIGatewayReadOnly", "Effect": "Allow", "Action": [ "apigateway:GET" ], "Resource": "arn:aws:apigateway:*::/*" } ] } A trust must also be established for the access key and secret key user created for the integration. The IAM role needs to add a statement for the user similar to the following "LocalIAM" section (the federated section may exist if your organization uses single sign-on to AWS accounts but it is not necessary for the role to operate): { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::<account id>:saml-provider/Okta" }, "Action": "sts:AssumeRoleWithSAML", "Condition": { "StringEquals": { "SAML:aud": "https://signin.aws.amazon.com/saml" } } }, { "Sid": "LocalIAM", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account id>:user/<username>" }, "Action": "sts:AssumeRole" } ] } Following permission is needed to pull the data using this connector: apigateway:GET If config aggregator is being used, then following permissions are needed to pull the data: config:DescribeConfigurationAggregatorsconfig:ListAggregateDiscoveredResourcesconfig:SelectAggregateResourceConfigconfig:BatchGetAggregateResourceConfig If API usage data is needed, then following permissions are needed to pull the data: cloudwatch:GetMetricWidgetImagecloudwatch:GetMetricStreamcloudwatch:GetMetricStatisticscloudwatch:GetMetricData If management account flow is being used, then following permission is needed to pull all account details: organizations:ListAccounts If the value of 'Region(s)' property is left empty, then following permissions is needed to pull all active regions: ec2:DescribeRegions Following are the connection properties as part of connection setup. The connection supports 3 flows to fetch the data. Using management account: This can be used when there is management account designated in AWS. This account will in turn fetch the list of member accounts and try to fetch data from each one.Using standalone account: This can be used when there is only one account that has all the data.Config aggregator: This can be used when a config aggregator is setup on the AWS instance and the permissions mentioned above are available at the IAM role. This is the most efficient method in terms of performance. There are 3 properties related to this flow. Other properties are: STS assume role name: The name of the role created that has the necessary permission. This is mandatory.AWS regions: The can be a comma separated list of AWS regions which has the data. If left empty, all the active regions are fetched and an attempt is made to get the data from all the regions, however this impacts performance.Collect usage data: Select this if API usage data is to be fetched. The cloudwatch permissions mentioned above are required for this.Collection period: This is frequency at which API usage data is to be fetched.Gov cloud: Select this if the data resides in the AWS gov cloud regions.