API Management - oWretch/policy GitHub Wiki
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| API Management |
API Management APIs should use only encrypted protocols To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| API Management |
API Management calls to API backends should be authenticated Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| API Management |
API Management calls to API backends should not bypass certificate thumbprint or name validation To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| API Management |
API Management direct management endpoint should not be enabled The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| API Management |
API Management minimum API version should be set to 2019-12-01 or higher To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| API Management |
API Management secret named values should be stored in Azure Key Vault Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret named values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| API Management |
API Management service should use a SKU that supports virtual networks With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: https://aka.ms/apimvnet. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| API Management |
API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| API Management |
API Management services should use TLS version 1.2 Azure API Management service should use TLS version 1.2 |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| API Management |
API Management should disable public network access to the service configuration endpoints To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. |
AuditIfNotExists Disabled |
AuditIfNotExists Disabled |
|||||||
| API Management |
API Management subscriptions should not be scoped to all APIs API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| API Management |
Azure API Management platform version should be stv2 Azure API Management stv1 compute platform version will be retired effective 31 August 2024, and these instances should be migrated to stv2 compute platform for continued support. Learn more at https://learn.microsoft.com/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024 |
Audit Deny Disabled |
||||||||
| API Management |
Configure API Management services to disable access to API Management public service configuration endpoints To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. |
DeployIfNotExists Disabled |
DeployIfNotExists Disabled |
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| API Management |
API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |
aPIManagementServicesShouldUseAVirtualN... = ["Developer", "Premium"]
|