last sync: 2024-Apr-24 17:46:58 UTC

API Management subscriptions should not be scoped to all APIs

Azure BuiltIn Policy definition

Source Azure Portal
Display name API Management subscriptions should not be scoped to all APIs
Id 3aa03346-d8c5-4994-a5bc-7652c2a2aef1
Version 1.1.0
Details on versioning
Category API Management
Microsoft Learn
Description API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit, Disabled, Deny
RBAC role(s) none
Rule aliases IF (2)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.ApiManagement/service/subscriptions/scope Microsoft.ApiManagement service/subscriptions properties.scope false
Microsoft.ApiManagement/service/subscriptions/state Microsoft.ApiManagement service/subscriptions properties.state false
Rule resource types IF (1)
The following 1 compliance controls are associated with this Policy definition 'API Management subscriptions should not be scoped to all APIs' (3aa03346-d8c5-4994-a5bc-7652c2a2aef1)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 PA-7 Azure_Security_Benchmark_v3.0_PA-7 Microsoft cloud security benchmark PA-7 Privileged Access Follow just enough administration (least privilege) principle Shared **Security Principle:** Follow the just enough administration (least privilege) principle to manage permissions at fine-grained level. Use features such as role-based access control (RBAC) to manage resource access through role assignments. **Azure Guidance:** Use Azure role-based access control (Azure RBAC) to manage Azure resource access through role assignments. Through RBAC, you can assign roles to users, group service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, and the Azure portal. The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. Limited privileges will complement the just-in-time (JIT) approach of Microsoft Entra Privileged Identity Management (PIM), and those privileges should be reviewed periodically. If required, you can also use PIM to define the time-length (time-bound-assignment) condition in role assignment where a user can activate or use the role only within start and end dates. Note: Use Azure built-in roles to allocate permissions and only create custom roles when required. **Implementation and additional context:** What is Azure role-based access control (Azure RBAC): How to configure RBAC in Azure: How to use Microsoft Entra identity and access reviews: Microsoft Entra Privileged Identity Management - Time-bound assignment: n/a link 3
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
Date/Time (UTC ymd) (i) Change type Change detail
2023-01-27 18:40:07 change Minor (1.0.0 > 1.1.0)
2022-06-17 16:31:08 add 3aa03346-d8c5-4994-a5bc-7652c2a2aef1
JSON compare
compare mode: version left: version right: