Framework/Configurations/SVT/Services/APIManagement.json
|
{
"FeatureName": "APIManagement", "Reference": "aka.ms/azsktcp/apim", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_APIManagement_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "APIManagement110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Remove any excessive privileges granted on the API Management Service. Run command: Remove-AzureRmRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' RoleDefinitionName '<RoleDefinitionName>'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC", "APIManagement" ], "Enabled": true }, { "ControlID": "Azure_APIManagement_Audit_Enable_Alerts", "Description": "Metric alert rules must be configured for critical actions on API Management service", "Id": "APIManagement120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAPIMMetricAlert", "Rationale": "Metric alert for occurrence of unauthorized gateway requests help the admin to identify security breach attempts.", "Recommendation": "Add or update a metric-based alert rule by using command Add-AzureRmMetricAlertRule -Location '{Location}'-MetricName 'UnauthorizedRequests' -Name '{alertName}' -Operator 'GreaterThan' -ResourceGroup '{ResourceGroupName}' -TargetResourceId '{TargetResourceId}' -Threshold 0 -TimeAggregationOperator 'Total' -WindowSize '01:00:00' -Action '{Comma-separated list of actions}'", "Tags": [ "SDL", "TCP", "Automated", "Audit", "APIManagement" ], "Enabled": true }, { "ControlID": "Azure_APIManagement_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days", "Id": "APIManagement130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "Run command: Set-AzureRmDiagnosticSetting -ResourceId {'ResourceId'} -Enable `$true -StorageAccountId '{StorageAccountId}' -RetentionInDays $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) -RetentionEnabled `$true. Alternatively, you can also change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-archive-diagnostic-logs#archive-diagnostic-logs-using-the-portal.", "Tags": [ "SDL", "TCP", "Diagnostics", "Automated", "Audit", "APIManagement" ], "Enabled": true }, { "ControlID": "Azure_APIManagement_DP_Use_HTTPS_APIM_Access", "Description": "Backend API must only be accessible over HTTPS via API Management service", "Id": "APIManagement140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAPIMURLScheme", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", "Recommendation": "Run command: Set-AzureRmApiManagementApi -Context {APIContextObject} -Protocols 'Https' -Name '{APIName}' -ApiId '{APIId}' -ServiceUrl '{ServiceURL}'. Run command : Get-AzureRmApiManagementApi -Context '{APIContextObject}' to get the details of existing APIs.", "Tags": [ "SDL", "TCP", "Automated", "DP", "APIManagement" ], "Enabled": true }, { "ControlID": "Azure_APIManagement_BCDR_Backup_Periodically", "Description": "API Management service instance should be backed up periodically", "Id": "APIManagement150", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "The service 'backup and restore' feature provides facility to recover from availability problems affecting the region where your API Management service is hosted.", "Recommendation": "Use REST APIs for 'backup and restore' operations. Refer https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-disaster-recovery-backup-restore.", "Tags": [ "SDL", "TCP", "BCDR", "APIManagement" ], "Enabled": true }, { "ControlID": "Azure_APIManagement_DP_Use_Secret_Named_Values", "Description": "Encryption of Named Values must be enabled when storing sensitive data", "Id": "APIManagement160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSecretNamedValues", "Rationale": "Encrypted Named Values are stored securely by the Azure platform.", "Recommendation": "Run command: Set-AzureRmApiManagementProperty -Secret `$true -Context {APIContextObject} -Name '{PropertyDisplayName}' -PropertyId '{PropertyId}'. Refer https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-properties.", "Tags": [ "SDL", "TCP", "Automated", "DP", "APIManagement" ], "Enabled": true }, { "ControlID": "Azure_APIManagement_AuthN_Use_ARMBased_RESTAPI", "Description": "API Management REST API must be disabled and it is recommended to use ARM based REST API", "Id": "APIManagement170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckNonARMAPIUsage", "Rationale": "The credentials used to access API Management REST API provide admin-level access without support for role-based access control and without recording audit logs. For better security it is recommended to make calls through the ARM-based REST API", "Recommendation": "Run command: Set-AzureRmApiManagementTenantAccess -Context {APIContextObject} -Enabled `$false. Use ARM based REST API mentioned in https://docs.microsoft.com/en-us/rest/api/apimanagement.", "Tags": [ "SDL", "TCP", "Automated", "AuthN", "APIManagement" ], "Enabled": true } ] } |