Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Assessment(s)
Assessments count: 1 Assessment Id: 44aae697-8cc1-4ed1-a136-44a644bfd51f DisplayName: API Management subscriptions should not be scoped to all APIs Description: API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure. Remediation description: To remove Subscriptions at the All APIs scope: 1. In the Azure portal, find your API Management Resource 2. Navigate to the Subscriptions blade 3. For any subscriptions listed with a Scope of All APIs, change the scope of the Subscription to API or Subscription or suspend or delete the Subscription. Categories: Compute Severity: Medium User impact: High Threats: MissingCoverage
The following 4 compliance controls are associated with this Policy definition 'API Management subscriptions should not be scoped to all APIs' (3aa03346-d8c5-4994-a5bc-7652c2a2aef1)
Follow just enough administration (least privilege) principle
Shared
**Security Principle:**
Follow the just enough administration (least privilege) principle to manage permissions at fine-grained level. Use features such as role-based access control (RBAC) to manage resource access through role assignments.
**Azure Guidance:**
Use Azure role-based access control (Azure RBAC) to manage Azure resource access through role assignments. Through RBAC, you can assign roles to users, group service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, and the Azure portal.
The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. Limited privileges will complement the just-in-time (JIT) approach of Microsoft Entra Privileged Identity Management (PIM), and those privileges should be reviewed periodically. If required, you can also use PIM to define the time-length (time-bound-assignment) condition in role assignment where a user can activate or use the role only within start and end dates.
Note: Use Azure built-in roles to allocate permissions and only create custom roles when required.
**Implementation and additional context:**
What is Azure role-based access control (Azure RBAC):
https://docs.microsoft.com/azure/role-based-access-control/overview
How to configure RBAC in Azure:
https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal
How to use Microsoft Entra identity and access reviews:
https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview
Microsoft Entra Privileged Identity Management - Time-bound assignment:
https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure#what-does-it-do
Human resources security, access control policies and asset management
n/a
The cybersecurity risk-management measures should therefore also address the physical and environmental security of network and information systems by including measures to protect such systems from system failures, human error, malicious acts or natural phenomena, in line with European and international standards, such as those included in the ISO/IEC 27000 series. In that regard, essential and important entities should, as part of their cybersecurity risk-management measures, also address human resources security and have in place appropriate access control policies. Those measures should be consistent with Directive (EU) 2022/2557.