AzPolicyAdvertizer

last sync: 2025-Apr-29 17:16:02 UTC

API Management direct management endpoint should not be enabled

Azure BuiltIn Policy definition

Source Azure Portal
Display name API Management direct management endpoint should not be enabled
Id b741306c-968e-4b67-b916-5675e5c709f4
Version 1.0.2
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.2
Built-in Versioning [Preview]
Category API Management
Microsoft Learn
Description The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Cloud environments AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown
Available in AzUSGov Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Assessment(s) Assessments count: 1
Assessment Id: e2aeced9-6ef0-410e-b948-4aaa65ded9a7
DisplayName: API Management direct management endpoint should not be enabled
Description: The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Related OWASP API Security Top 10 Risks: (API4:2023) Unrestricted Resource Consumption
Remediation description: To disable direct management of your API Management instance: 1. In the Azure portal, find your API Management Resource 2. Navigate to the Management API blade 3. Set Enable Management REST API to 'No.'
Categories: Compute
Severity: Low
User impact: High
Threats: ElevationOfPrivilege
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Disabled, Deny
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.ApiManagement/service/tenant/enabled Microsoft.ApiManagement service/tenant properties.enabled True False
Rule resource types IF (1)
Compliance
The following 4 compliance controls are associated with this Policy definition 'API Management direct management endpoint should not be enabled' (b741306c-968e-4b67-b916-5675e5c709f4)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 PV-2 Azure_Security_Benchmark_v3.0_PV-2 Microsoft cloud security benchmark PV-2 Posture and Vulnerability Management Audit and enforce secure configurations Shared **Security Principle:** Continuously monitor and alert when there is a deviation from the defined configuration baseline. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploy a configuration. **Azure Guidance:** Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources. Use Azure Policy [deny] and [deploy if not exist] rule to enforce secure configuration across Azure resources. For resource configuration audit and enforcement not supported by Azure Policy, you may need to write your own scripts or use third-party tooling to implement the configuration audit and enforcement. **Implementation and additional context:** Understand Azure Policy effects: https://docs.microsoft.com/azure/governance/policy/concepts/effects Create and manage policies to enforce compliance: https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage Get compliance data of Azure resources: https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data n/a link 27
New_Zealand_ISM 23.4.10.C.01 New_Zealand_ISM_23.4.10.C.01 New_Zealand_ISM_23.4.10.C.01 23. Public Cloud Security 23.4.10.C.01 Data accessibility n/a Agencies MUST apply the principle of least privilege and configure service endpoints to restrict access to authorised parties. 4
U.07.1 - Isolated U.07.1 - Isolated 404 not found n/a n/a 62
U.10.5 - Competent U.10.5 - Competent 404 not found n/a n/a 33
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
Enforce recommended guardrails for API Management Enforce-Guardrails-APIM API Management GA ALZ
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn true
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2023-03-31 17:44:15 change Patch (1.0.1 > 1.0.2)
2022-07-08 16:32:07 change Patch (1.0.0 > 1.0.1)
2022-06-17 16:31:08 add b741306c-968e-4b67-b916-5675e5c709f4
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC