Suggest a Shield Policy
Once API Discovery has observed an API's real traffic,
it knows that API's operations, which ones carry authentication, which return PII,
and how each is scored for risk. Suggest Policy turns that knowledge into a
draft Shield SecurityPolicy — so you protect an endpoint from
the inventory instead of authoring routes and engines by hand.
This is the bridge between the two halves of the platform: Discovery tells you what you have and where the risk is; Shield enforces protections at the edge. Suggest Policy connects them.
Where it lives
There are two entry points, both producing the same result — a draft policy handed to the Shield policy editor:
- From API Discovery — in the endpoints view, select one or more path groups
and choose Suggest Shield Policy. Discovery builds a draft
SecurityPolicycovering those operations, plus a rationale for each suggested protection. - From the Shield editor — the Import from Discovery drawer lets you pick discovered endpoints without leaving the policy you are editing; the suggested routes and engines are merged into it.
What it suggests
The draft is derived from what Discovery actually observed, so the protections fit the endpoints:
- Routes — one per selected operation (or path group), matched on the normalized path and method, mirroring the inventory.
- Authentication — where an operation is seen carrying (or expected to carry)
auth, a matching Shield auth engine is proposed. Endpoints flagged
unauthenticatedorauth_inconsistentare called out. - Data protection — operations that returned PII get a DLP suggestion (redact the observed categories).
- Rate limiting / bot / WAF — proposed against operations whose risk flags (rate anomalies, scanner traffic, injection-style probes) warrant them.
Each suggestion comes with a rationale — the risk flag or observation that prompted it — shown in a panel above the Builder so you can accept, adjust, or drop it before deploying.
The draft is not persisted server-side — it opens in the editor as unsaved
work. Review every route and engine, then follow the standard
rollout: deploy in mode: detect, watch
Security Events, and promote to block once it's
clean. Positive-security suggestions (an OpenAPI
allow-list, IP allow-lists) especially need review — they block everything not
explicitly permitted.
Typical flow
- Enable Discovery on the listener and let it observe traffic (see API Discovery overview).
- Review the inventory and risk scoring; decide which endpoints to protect first (usually the highest-exposure, highest-risk ones).
- Select them and Suggest Shield Policy (or Import from Discovery inside an existing policy).
- Review the draft and its rationale in the policy editor.
- Create & Deploy in
detectmode; watch, tune, then switch toblock.
See also
- Shield: getting started — writing and deploying a first policy.
- Deploying policies to edges — how a saved policy reaches every edge.
- API Discovery overview — how the inventory is built.