Console
Start free

Advanced API Security for multiple Apigee organizations and gateways

This page applies to Apigee and Apigee hybrid.

Apigee Advanced API Security is available as an additional add-on for your API hub instance to help you manage and govern the security posture of your APIs across multiple Apigee organizations, environments, and gateways. Leveraging API hub's plugins and curation capabilities, Advanced API Security offers an unified view that lets you monitor risks, compare configurations, and ensure consistent security standards across your entire API ecosystem.

Key capabilities

Advanced API Security offers the following capabilities when you enable it for your API hub instance:

Enable Advanced API Security for your API hub instance

To enable and configure Advanced API Security for your API hub instance, see Configure Advanced API Security for multiple Apigee organizations and gateways.

IAM roles and permissions

To use Advanced API Security, you must have the following IAM roles and permissions:

IAM roles Permissions Description
API Security Admin (roles/apigee.securityAdmin)
  • apigee.securityProfilesV2.create
  • apigee.securityProfilesV2.delete
  • apigee.securityProfilesV2.update
  • apigee.securityProfilesV2.get
  • apigee.securityProfilesV2.list
 Provides permissions to create, update, delete, get, and list security profiles.
  • apigee.securityAssessmentResult.compute
 Provides permissions to compute security assessment results.
  • apigee.securityMonitoringConditions.create
  • apigee.securityMonitoringConditions.delete
  • apigee.securityMonitoringConditions.get
  • apigee.securityMonitoringConditions.list
  • apigee.securityMonitoringConditions.update
 Provides permissions to create, delete, get, list, and update security monitoring conditions.
API Security Viewer (roles/apigee.securityViewer)
  • apigee.securityProfilesV2.get
  • apigee.securityProfilesV2.list
 Provides permissions to get, list, and view security profiles.
  • apigee.securityAssessmentResult.compute
 Provides permissions to compute security assessment results.
  • apigee.securityMonitoringConditions.get
  • apigee.securityMonitoringConditions.list
 Provides permissions to get and list security monitoring conditions.
API hub Admin (roles/apihub.admin) or API hub Add-on Admin (roles/apihub.addonsAdmin)
  • apihub.addons.get
  • apihub.addons.list
  • apihub.addons.manage
 Provides permissions to manage add-ons in API hub.
  • apihub.apis.get
  • apihub.deployments.list
 Provides permissions to get and list APIs and deployments in API hub.
API hub Viewer (roles/apihub.viewer)
  • apihub.addons.get
  • apihub.addons.list
 Provides permissions to get and list add-ons in API hub.
  • apihub.apis.get
  • apihub.deployments.list
 Provides permissions to get and list APIs and deployments in API hub.

To configure and use security monitoring conditions and alerts in Cloud Monitoring:

Action(s) Required roles or steps
List and view security monitoring condition metrics Monitoring Admin (roles/monitoring.admin)
Monitoring Editor (roles/monitoring.editor)
Create, update, or delete monitoring alerts See Required roles (for security alerts)
View monitoring alerts See Incidents for metric-based alerting policies: Before you begin

For information about granting IAM roles, see Grant or revoke multiple IAM roles using the Google Cloud console.

What's next