last sync: 2024-May-24 18:03:04 UTC

API endpoints in Azure API Management should be authenticated

Azure BuiltIn Policy definition

Source Azure Portal
Display name API endpoints in Azure API Management should be authenticated
Id 8ac833bd-f505-48d5-887e-c993a1d3eea0
Version 1.0.1
Details on versioning
Category Security Center
Microsoft Learn
Description API endpoints published within Azure API Management should enforce authentication to help minimize security risk. Authentication mechanisms are sometimes implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. Learn More about the OWASP API Threat for Broken User Authentication here: https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats#broken-user-authentication
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Security/assessments/status.code Microsoft.Security assessments properties.status.code false
Rule resource types IF (1)
Microsoft.ApiManagement/service/apis/operations
Compliance
The following 1 compliance controls are associated with this Policy definition 'API endpoints in Azure API Management should be authenticated' (8ac833bd-f505-48d5-887e-c993a1d3eea0)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 IM-4 Azure_Security_Benchmark_v3.0_IM-4 Microsoft cloud security benchmark IM-4 Identity Management Authenticate server and services Shared **Security Principle:** Authenticate remote servers and services from your client side to ensure you are connecting to trusted server and services. The most common server authentication protocol is Transport Layer Security (TLS), where the client-side (often a browser or client device) verifies the server by verifying the server’s certificate was issued by a trusted certificate authority. Note: Mutual authentication can be used when both the server and the client authenticate one-another. **Azure Guidance:** Many Azure services support TLS authentication by default. For the services supporting TLS enable/disable switch by the user, ensure it's always enabled to support the server/service authentication. Your client application should also be designed to verify server/service identity (by verifying the server’s certificate issued by a trusted certificate authority) in the handshake stage. **Implementation and additional context:** Enforce Transport Layer Security (TLS) for a storage account: https://docs.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal#use-azure-policy-to-enforce-the-minimum-tls-version n/a link 4
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2023-11-06 19:40:47 change Patch, old suffix: preview (1.0.0-preview > 1.0.1)
2023-08-03 17:56:09 add 8ac833bd-f505-48d5-887e-c993a1d3eea0
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC