AzPolicyAdvertizer

last sync: 2025-Apr-29 17:16:02 UTC

API Management calls to API backends should be authenticated

Azure BuiltIn Policy definition

Source Azure Portal
Display name API Management calls to API backends should be authenticated
Id c15dcc82-b93c-4dcb-9332-fbf121685b54
Version 1.0.1
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.1
Built-in Versioning [Preview]
Category API Management
Microsoft Learn
Description Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Cloud environments AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown
Available in AzUSGov Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Assessment(s) Assessments count: 1
Assessment Id: 2fd6b6c3-f52b-464d-a301-0d81c7b4839c
DisplayName: API Management calls to API backends should be authenticated
Description: Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Related OWASP API Security Top 10 Risks: (API2:2023) Broken Authentication, (API8:2023) Security Misconfiguration
Remediation description: To enable authentication for your backends 1. In the Azure portal, find your API Management Resource 2. Navigate to the Backends blade 3. Select the backend from the Backends list 4. Select the Authorization credentials blade 5. Enter authorization credentials in the query paraemters, client certificates, or Authorization header.
Categories: Compute
Severity: Medium
User impact: High
Threats: ElevationOfPrivilege
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Disabled, Deny
RBAC role(s) none
Rule aliases IF (6)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.ApiManagement/service/backends/credentials.authorization.parameter Microsoft.ApiManagement service/backends properties.credentials.authorization.parameter True False
Microsoft.ApiManagement/service/backends/credentials.authorization.scheme Microsoft.ApiManagement service/backends properties.credentials.authorization.scheme True False
Microsoft.ApiManagement/service/backends/credentials.certificate Microsoft.ApiManagement service/backends properties.credentials.certificate True False
Microsoft.ApiManagement/service/backends/credentials.certificate[*] Microsoft.ApiManagement service/backends properties.credentials.certificate[*] True False
Microsoft.ApiManagement/service/backends/protocol Microsoft.ApiManagement service/backends properties.protocol True False
Microsoft.ApiManagement/service/backends/url Microsoft.ApiManagement service/backends properties.url True False
Rule resource types IF (1)
Compliance
The following 3 compliance controls are associated with this Policy definition 'API Management calls to API backends should be authenticated' (c15dcc82-b93c-4dcb-9332-fbf121685b54)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 IM-4 Azure_Security_Benchmark_v3.0_IM-4 Microsoft cloud security benchmark IM-4 Identity Management Authenticate server and services Shared **Security Principle:** Authenticate remote servers and services from your client side to ensure you are connecting to trusted server and services. The most common server authentication protocol is Transport Layer Security (TLS), where the client-side (often a browser or client device) verifies the server by verifying the server’s certificate was issued by a trusted certificate authority. Note: Mutual authentication can be used when both the server and the client authenticate one-another. **Azure Guidance:** Many Azure services support TLS authentication by default. For the services supporting TLS enable/disable switch by the user, ensure it's always enabled to support the server/service authentication. Your client application should also be designed to verify server/service identity (by verifying the server’s certificate issued by a trusted certificate authority) in the handshake stage. **Implementation and additional context:** Enforce Transport Layer Security (TLS) for a storage account: https://docs.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal#use-azure-policy-to-enforce-the-minimum-tls-version n/a link 4
New_Zealand_ISM 16.1.32.C.01 New_Zealand_ISM_16.1.32.C.01 New_Zealand_ISM_16.1.32.C.01 16. Access Control and Passwords 16.1.32.C.01 System user identification n/a Agencies MUST ensure that all system users are: uniquely identifiable; and authenticated on each occasion that access is granted to a system. 18
U.10.5 - Competent U.10.5 - Competent 404 not found n/a n/a 33
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
Enforce recommended guardrails for API Management Enforce-Guardrails-APIM API Management GA ALZ
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn true
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-07-08 16:32:07 change Patch (1.0.0 > 1.0.1)
2022-06-17 16:31:08 add c15dcc82-b93c-4dcb-9332-fbf121685b54
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC