last sync: 2024-Mar-01 17:50:27 UTC

API Management minimum API version should be set to 2019-12-01 or higher

Azure BuiltIn Policy definition

Source Azure Portal
Display name API Management minimum API version should be set to 2019-12-01 or higher
Id 549814b6-3212-4203-bdc8-1548d342fb67
Version 1.0.1
Details on versioning
Category API Management
Microsoft Learn
Description To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher.
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (2)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.ApiManagement/service/apiVersionConstraint.minApiVersion Microsoft.ApiManagement service properties.apiVersionConstraint.minApiVersion false
Microsoft.ApiManagement/service/sku.name Microsoft.ApiManagement service sku.name false
Rule resource types IF (1)
Microsoft.ApiManagement/service
Compliance
The following 2 compliance controls are associated with this Policy definition 'API Management minimum API version should be set to 2019-12-01 or higher' (549814b6-3212-4203-bdc8-1548d342fb67)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 IM-8 Azure_Security_Benchmark_v3.0_IM-8 Microsoft cloud security benchmark IM-8 Identity Management Restrict the exposure of credential and secrets Shared **Security Principle:** Ensure that application developers securely handle credentials and secrets: - Avoid embedding the credentials and secrets into the code and configuration files - Use key vault or a secure key store service to store the credentials and secrets - Scan for credentials in source code. Note: This is often governed and enforced through a secure software development lifecycle (SDLC) and DevOps security process **Azure Guidance:** Ensure that secrets and credentials are stored in secure locations such as Azure Key Vault, instead of embedding them into the code and configuration files. - Implement Azure DevOps Credential Scanner to identify credentials within the code. - For GitHub, use the native secret scanning feature to identify credentials or other form of secrets within the code. Clients such as Azure Functions, Azure Apps services, and VMs can use managed identities to access Azure Key Vault securely. See Data Protection controls related to the use of Azure Key Vault for secrets management. **Implementation and additional context:** How to setup Credential Scanner: https://secdevtools.azurewebsites.net/helpcredscan.html GitHub secret scanning: https://docs.github.com/github/administering-a-repository/about-secret-scanning n/a link 3
Azure_Security_Benchmark_v3.0 PV-2 Azure_Security_Benchmark_v3.0_PV-2 Microsoft cloud security benchmark PV-2 Posture and Vulnerability Management Audit and enforce secure configurations Shared **Security Principle:** Continuously monitor and alert when there is a deviation from the defined configuration baseline. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploy a configuration. **Azure Guidance:** Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources. Use Azure Policy [deny] and [deploy if not exist] rule to enforce secure configuration across Azure resources. For resource configuration audit and enforcement not supported by Azure Policy, you may need to write your own scripts or use third-party tooling to implement the configuration audit and enforcement. **Implementation and additional context:** Understand Azure Policy effects: https://docs.microsoft.com/azure/governance/policy/concepts/effects Create and manage policies to enforce compliance: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage Get compliance data of Azure resources: https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data n/a link 27
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-07-08 16:32:07 change Patch (1.0.0 > 1.0.1)
2022-06-17 16:31:08 add 549814b6-3212-4203-bdc8-1548d342fb67
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC