Manage user behavior
Detect and mitigate inauthentic user behavior that can lead to account takeovers and other abuses.
What you'll do
Enable, create, and configure a response strategy to protect your API operations.
1. Prep
Register and define the API endpoints and resources you want us to protect.
- Register your API and get your API's ID.
- Get your security configuration and security policy IDs.
- Add transactional endpoints and get your transactional operations' IDs.
2. Add protected API operations
Use your security configuration, security policy, and transactional operation IDs along with JSON-formatted information about its telemetry settings to add protected operations to your configuration.
-
Build out JSON formatted telemetry settings for your protected operations.
-
Use the file you created as the value of the
protected_operation
argument to add your operations and their settings to the Account Protector service.resource "akamai_apr_protected_operations" "my_protected_operations" { config_id = 12345 security_policy_id = "abcd_123456" operation_id = "12a3bc4d-5678-9ef0-g12h-3i4jklm5no67" protected_operation = file("${path.module}/protected-operation.json") }
Next, configure a user risk strategy and assign actions to each risk level.
3. Set a user risk strategy
User risk scores are determined by user behavior profiling, population profiling, and reputation data. Your user risk strategy manages your response when your risk thresholds are met.
You can set the response segments to apply to all the policies within a security configuration or set them for a specific policy only.
For each traffic type and risk segment level, set a threshold for that triggers your account protections.
- Threshold ranges give you the available value settings, and there is range overlap across segments to allow for fine tuning of your response.
- Threshold values within each traffic type must not conflict.
resource "akamai_apr_user_risk_response_strategy" "my_strategy" {
config_id = 12345
user_risk_response_strategy = jsonencode(
{
"traffic" : {
"standard" : {
"cautious" : {
"threshold" : 0
},
"strict" : {
"threshold" : 51
},
"aggressive" : {
"threshold" : 66
}
},
"inline" : {
"cautious" : {
"threshold" : 0
},
"strict" : {
"threshold" : 51
},
"aggressive" : {
"threshold" : 76
}
},
"nativeSdkIos" : {
"cautious" : {
"threshold" : 0
},
"strict" : {
"threshold" : 51
},
"aggressive" : {
"threshold" : 76
}
},
"nativeSdkAndroid" : {
"cautious" : {
"threshold" : 0
},
"strict" : {
"threshold" : 51
},
"aggressive" : {
"threshold" : 76
}
}
}
}
)
}
After you've set your strategy, you can configure optional settings or activate your security configuration to apply the changes to your security configuration to start managing your traffic.
4. Activate your configuration
Applying your account protection settings to your traffic on a network requires an activation of your security configuration.
Note: If your configuration is already active on a network, the activation resource creates a new version, deactivates the current version, and activates the new version.
Provide a configuration version and set the network on which to activate your configuration. To point the activation at the latest version of your configuration, add in the akamai_appsec_configuration data source and use a local variable to the latest_version
attribute.
resource "akamai_appsec_activations" "my-activation" {
config_id = 12345
network = "STAGING"
note = "Activating account protections on staging."
notification_emails = ["jsmith@example.com"]
version = 12
}
Optional settings
Provide user exception permissions or set and manage security policy level protections.
Add an allow list
You can add an allow list of users who can bypass the protections you set up by adding a Client Lists' user-type list to your configuration.
Note: To create or update a user-type list, use the client list resource.
Get a client list user-type list's ID and set it as the value of user_allow_list
.
resource "akamai_apr_user_allow_list" "my_allow_list" {
config_id = 12345
user_allow_list = "12345_MYUSERLIST"
}
Activate your security configuration to apply your allow list's permissions.
Update general settings
You can also control your response to suspect activity from your origin or disable account protection settings at the security policy level.
- To disable account protection, set
accountProtection
tofalse
. - To manage response settings from your origin, ensure your account protection response actions allow requests through to your origin, for example, monitor, slow, or delay.
Update the general settings to manage header use and the type of information forwarded to your origin.
originSignalHeader
. Send user risk detection results with each request forwarded to the origin.originUserIdInRequestHeader
. Forward the user's ID in theAkamai-User-Risk
header.usernameInRequestHeader
. Forward the user's username in theAkamai-User-Risk
header.
resource "akamai_apr_general_settings" "my_apr_settings" {
config_id = 12345
security_policy_id = "abcd_123456"
general_settings = jsonencode(
{
"accountProtection": true,
"originSignalHeader": true,
"originUserIdInRequestHeader": false,
"usernameInRequestHeader": true
}
)
}
To apply updated settings on a network, activate your security configuration.
Updated about 23 hours ago