Manage user behavior

Detect and mitigate inauthentic user behavior that can lead to account takeovers and other abuses.

What you'll do

Enable, create, and configure a response strategy to protect your API operations.

1. Prep

Register and define the API endpoints and resources you want us to protect.

  1. Register your API and get your API's ID.
  2. Get your security configuration and security policy IDs.
  3. Add transactional endpoints and get your transactional operations' IDs.

2. Add protected API operations

Use your security configuration, security policy, and transactional operation IDs along with JSON-formatted information about its telemetry settings to add protected operations to your configuration.

  1. Build out JSON formatted telemetry settings for your protected operations.

  2. Use the file you created as the value of the protected_operation argument to add your operations and their settings to the Account Protector service.

    resource "akamai_apr_protected_operations" "my_protected_operations" {
      config_id           = 12345
      security_policy_id  = "abcd_123456"
      operation_id        = "12a3bc4d-5678-9ef0-g12h-3i4jklm5no67"
      protected_operation = file("${path.module}/protected-operation.json")
    }
    

Next, configure a user risk strategy and assign actions to each risk level.

3. Set a user risk strategy

User risk scores are determined by user behavior profiling, population profiling, and reputation data. Your user risk strategy manages your response when your risk thresholds are met.

You can set the response segments to apply to all the policies within a security configuration or set them for a specific policy only.

For each traffic type and risk segment level, set a threshold for that triggers your account protections.

  • Threshold ranges give you the available value settings, and there is range overlap across segments to allow for fine tuning of your response.
  • Threshold values within each traffic type must not conflict.
resource "akamai_apr_user_risk_response_strategy" "my_strategy" {
  config_id                   = 12345
  user_risk_response_strategy = jsonencode(
    {
      "traffic" : {
        "standard" : {
          "cautious" : {
            "threshold" : 0
          },
          "strict" : {
            "threshold" : 51
          },
          "aggressive" : {
            "threshold" : 66
          }
        },
        "inline" : {
          "cautious" : {
            "threshold" : 0
          },
          "strict" : {
            "threshold" : 51
          },
          "aggressive" : {
            "threshold" : 76
          }
        },
        "nativeSdkIos" : {
          "cautious" : {
            "threshold" : 0
          },
          "strict" : {
            "threshold" : 51
          },
          "aggressive" : {
            "threshold" : 76
          }
        },
        "nativeSdkAndroid" : {
          "cautious" : {
            "threshold" : 0
          },
          "strict" : {
            "threshold" : 51
          },
          "aggressive" : {
            "threshold" : 76
          }
        }
      }
    }
  )
}

After you've set your strategy, you can configure optional settings or activate your security configuration to apply the changes to your security configuration to start managing your traffic.

4. Activate your configuration

Applying your account protection settings to your traffic on a network requires an activation of your security configuration.

Note: If your configuration is already active on a network, the activation resource creates a new version, deactivates the current version, and activates the new version.

Provide a configuration version and set the network on which to activate your configuration. To point the activation at the latest version of your configuration, add in the akamai_appsec_configuration data source and use a local variable to the latest_version attribute.

resource "akamai_appsec_activations" "my-activation" {
  config_id           = 12345
  network             = "STAGING"
  note                = "Activating account protections on staging."
  notification_emails = ["jsmith@example.com"]
  version             = 12
}

Optional settings

Provide user exception permissions or set and manage security policy level protections.

Add an allow list

You can add an allow list of users who can bypass the protections you set up by adding a Client Lists' user-type list to your configuration.

Note: To create or update a user-type list, use the client list resource.

Get a client list user-type list's ID and set it as the value of user_allow_list.

resource "akamai_apr_user_allow_list" "my_allow_list" {
  config_id       = 12345
  user_allow_list = "12345_MYUSERLIST"
}

Activate your security configuration to apply your allow list's permissions.

Update general settings

You can also control your response to suspect activity from your origin or disable account protection settings at the security policy level.

  • To disable account protection, set accountProtection to false.
  • To manage response settings from your origin, ensure your account protection response actions allow requests through to your origin, for example, monitor, slow, or delay.

Update the general settings to manage header use and the type of information forwarded to your origin.

  • originSignalHeader. Send user risk detection results with each request forwarded to the origin.
  • originUserIdInRequestHeader. Forward the user's ID in the Akamai-User-Risk header.
  • usernameInRequestHeader. Forward the user's username in the Akamai-User-Risk header.
resource "akamai_apr_general_settings" "my_apr_settings" {
  config_id          = 12345
  security_policy_id = "abcd_123456"
  general_settings   = jsonencode(
    {
      "accountProtection": true,
      "originSignalHeader": true,
      "originUserIdInRequestHeader": false,
      "usernameInRequestHeader": true
    }
  )
}

To apply updated settings on a network, activate your security configuration.