AzPolicyAdvertizer

last sync: 2024-Nov-25 18:54:24 UTC

API Management calls to API backends should not bypass certificate thumbprint or name validation

Azure BuiltIn Policy definition

Source Azure Portal
Display name API Management calls to API backends should not bypass certificate thumbprint or name validation
Id 92bb331d-ac71-416a-8c91-02f2cb734ce4
Version 1.0.2
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.2
Built-in Versioning [Preview]
Category API Management
Microsoft Learn
Description To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Disabled, Deny
RBAC role(s) none
Rule aliases IF (2)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.ApiManagement/service/backends/tls.validateCertificateChain Microsoft.ApiManagement service/backends properties.tls.validateCertificateChain True False
Microsoft.ApiManagement/service/backends/tls.validateCertificateName Microsoft.ApiManagement service/backends properties.tls.validateCertificateName True False
Rule resource types IF (1)
Microsoft.ApiManagement/service/backends
Compliance
The following 2 compliance controls are associated with this Policy definition 'API Management calls to API backends should not bypass certificate thumbprint or name validation' (92bb331d-ac71-416a-8c91-02f2cb734ce4)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 IM-4 Azure_Security_Benchmark_v3.0_IM-4 Microsoft cloud security benchmark IM-4 Identity Management Authenticate server and services Shared **Security Principle:** Authenticate remote servers and services from your client side to ensure you are connecting to trusted server and services. The most common server authentication protocol is Transport Layer Security (TLS), where the client-side (often a browser or client device) verifies the server by verifying the server’s certificate was issued by a trusted certificate authority. Note: Mutual authentication can be used when both the server and the client authenticate one-another. **Azure Guidance:** Many Azure services support TLS authentication by default. For the services supporting TLS enable/disable switch by the user, ensure it's always enabled to support the server/service authentication. Your client application should also be designed to verify server/service identity (by verifying the server’s certificate issued by a trusted certificate authority) in the handshake stage. **Implementation and additional context:** Enforce Transport Layer Security (TLS) for a storage account: https://docs.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal#use-azure-policy-to-enforce-the-minimum-tls-version n/a link 4
New_Zealand_ISM 23.4.10.C.01 New_Zealand_ISM_23.4.10.C.01 New_Zealand_ISM_23.4.10.C.01 23. Public Cloud Security 23.4.10.C.01 Data accessibility n/a Agencies MUST apply the principle of least privilege and configure service endpoints to restrict access to authorised parties. 4
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Enforce recommended guardrails for API Management Enforce-Guardrails-APIM API Management GA ALZ
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2023-03-17 18:44:06 change Patch (1.0.1 > 1.0.2)
2022-07-08 16:32:07 change Patch (1.0.0 > 1.0.1)
2022-06-17 16:31:08 add 92bb331d-ac71-416a-8c91-02f2cb734ce4
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC