AzPolicyAdvertizer

last sync: 2025-Apr-29 17:16:02 UTC

API endpoints that are unused should be disabled and removed from the Azure API Management service

Azure BuiltIn Policy definition

Source Azure Portal
Display name API endpoints that are unused should be disabled and removed from the Azure API Management service
Id c8acafaf-3d23-44d1-9624-978ef0f8652c
Version 1.0.1
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.1
Built-in Versioning [Preview]
Category Security Center
Microsoft Learn
Description As a security best practice, API endpoints that haven't received traffic for 30 days are considered unused and should be removed from the Azure API Management service. Keeping unused API endpoints may pose a security risk to your organization. These may be APIs that should have been deprecated from the Azure API Management service but may have been accidentally left active. Such APIs typically do not receive the most up to date security coverage.
Cloud environments AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown
Available in AzUSGov Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Assessment(s) Assessments count: 1
Assessment Id: 4e8c00a2-e8bc-42a8-9e12-99584a51ad10
DisplayName: API endpoints that are unused should be disabled and removed from the Azure API Management service
Description: API endpoints that have not received traffic for 30 days are deemed unused and pose a potential security risk.
They may have been left active accidentally when they should have been deprecated.
These unused APIs often lack the latest security updates, making them vulnerable.
We recommend disabling and removing these endpoints from the Azure API Management service to prevent potential security breaches.
Related OWASP API Security Top 10 Risks: (API8:2023) Security Misconfiguration
Remediation description: Note: Manually verify that the API endpoint is unused and consider any potential impact this may cause before removing the API endpoint from the Azure API Management service.
1. Navigate to the Azure API Management service to locate the unhealthy resources within the Azure Portal.
2. In the left pane, select APIs.
3. Select the API with the associated API collection name that is hosting the affected API endpoint (in Azure API Management, known as "API operation").
4. Select the ellipses (...) next to the endpoint and select "Delete" to remove the unused API endpoint.
Categories: Data
Severity: Low
Implementation effort: Low
Threats: MissingCoverage
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
microsoft.security/assessments/status.code Microsoft.Security assessments properties.status.code True False
Rule resource types IF (1)
Compliance
The following 2 compliance controls are associated with this Policy definition 'API endpoints that are unused should be disabled and removed from the Azure API Management service' (c8acafaf-3d23-44d1-9624-978ef0f8652c)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 AM-3 Azure_Security_Benchmark_v3.0_AM-3 Microsoft cloud security benchmark AM-3 Asset Management Ensure security of asset lifecycle management Shared **Security Principle:** Ensure security attributes or configurations of the assets are always updated during the asset lifecycle. **Azure Guidance:** Establish or update security policies/process that address asset lifecycle management processes for potentially high impact modifications. These modifications include changes to identity providers and access, data sensitivity, network configuration, and administrative privilege assignment. Remove Azure resources when they are no longer needed. **Implementation and additional context:** Delete Azure resource group and resource: https://docs.microsoft.com/azure/azure-resource-manager/management/delete-resource-group n/a link 1
New_Zealand_ISM 22.1.24.C.03 New_Zealand_ISM_22.1.24.C.03 New_Zealand_ISM_22.1.24.C.03 22. Enterprise systems security 22.1.24.C.03 Unauthorised Access n/a Agencies intending to adopt cloud technologies or services SHOULD apply controls to detect and prevent unauthorised data transfers and multiple or large scale data transfers to offshore locations and entities. 1
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn true
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2023-11-06 19:40:47 change Patch, old suffix: preview (1.0.0-preview > 1.0.1)
2023-08-03 17:56:09 add c8acafaf-3d23-44d1-9624-978ef0f8652c
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC