AzPolicyAdvertizer

last sync: 2025-Apr-29 17:16:02 UTC

API Management APIs should use only encrypted protocols

Azure BuiltIn Policy definition

Source Azure Portal
Display name API Management APIs should use only encrypted protocols
Id ee7495e7-3ba7-40b6-bfee-c29e22cc75d4
Version 2.0.2
Details on versioning
Versioning Versions supported for Versioning: 1
2.0.2
Built-in Versioning [Preview]
Category API Management
Microsoft Learn
Description To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS.
Cloud environments AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown
Available in AzUSGov Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Assessment(s) Assessments count: 1
Assessment Id: 741b141d-8111-4d86-a4e0-f74b06270a74
DisplayName: API Management APIs should use only encrypted protocols
Description: To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS.
Related OWASP API Security Top 10 Risks: (API8:2023) Security Misconfiguration
Remediation description: To set an API to HTTPS or WSS only for API Management Apis: 1. In the Azure portal, find your API Management Resource 2. Navigate to APIs and select the API 4. Select Settings 5. Under URL Scheme, select HTTPS for HTTP Apis, WSS for WebSocket Apis.
Categories: Compute
Severity: High
User impact: High
Threats: DataExfiltration
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Disabled, Deny
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.ApiManagement/service/apis/protocols[*] Microsoft.ApiManagement service/apis properties.protocols[*] True False
Rule resource types IF (1)
Compliance
The following 3 compliance controls are associated with this Policy definition 'API Management APIs should use only encrypted protocols' (ee7495e7-3ba7-40b6-bfee-c29e22cc75d4)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 DP-3 Azure_Security_Benchmark_v3.0_DP-3 Microsoft cloud security benchmark DP-3 Data Protection Encrypt sensitive data in transit Shared **Security Principle:** Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data. Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks. **Azure Guidance:** Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in. Enforce HTTPS for workload web application and services by ensuring that any clients connecting to your Azure resources use transportation layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure PaaS services by default. **Implementation and additional context:** Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem Enforce secure transfer in Azure storage: https://docs.microsoft.com/azure/storage/common/storage-require-secure-transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-storage-account n/a link 15
New_Zealand_ISM 17.1.55.C.03 New_Zealand_ISM_17.1.55.C.03 New_Zealand_ISM_17.1.55.C.03 17. Cryptography 17.1.55.C.03 Information and Systems Protection n/a Agencies MUST encrypt aggregated agency data using an approved algorithm and protocol over insecure or unprotected networks such as the Internet, public infrastructure or non-agency controlled networks when the compromise of the aggregated data would present a significant impact to the agency. 1
U.05.1 - Cryptographic measures U.05.1 - Cryptographic measures 404 not found n/a n/a 18
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
Enforce recommended guardrails for API Management Enforce-Guardrails-APIM API Management GA ALZ
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn true
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2023-03-27 17:43:07 change Patch (2.0.1 > 2.0.2)
2022-07-08 16:32:07 change Patch (2.0.0 > 2.0.1)
2022-06-24 19:15:47 change Major (1.0.0 > 2.0.0)
2022-06-17 16:31:08 add ee7495e7-3ba7-40b6-bfee-c29e22cc75d4
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC