| title | description | author | ms.service | ms.topic | ms.date | ms.author | ms.custom | ai-usage |
|---|---|---|---|---|---|---|---|---|
Reference table for all API security recommendations in Microsoft Defender for Cloud |
This article lists all Microsoft Defender for Cloud API security recommendations that help you harden and protect your resources. |
dcurwin |
defender-for-cloud |
reference |
03/13/2024 |
dacurwin |
generated |
ai-assisted |
This article lists all the API/API management security recommendations you might see in Microsoft Defender for Cloud.
The recommendations that appear in your environment are based on the resources that you're protecting and on your customized configuration.
To learn about actions that you can take in response to these recommendations, see Remediate recommendations in Defender for Cloud.
Description & related policy: Enable the Defender for APIs plan to discover and protect API resources against attacks and security misconfigurations. Learn more
Severity: High
Description & related policy: Onboarding APIs to Defender for APIs requires compute and memory utilization on the Azure API Management service. Monitor performance of your Azure API Management service while onboarding APIs, and scale out your Azure API Management resources as needed.
Severity: High
Description & related policy: As a security best practice, API endpoints that haven't received traffic for 30 days are considered unused, and should be removed from the Azure API Management service. Keeping unused API endpoints might pose a security risk. These might be APIs that should have been deprecated from the Azure API Management service, but have accidentally been left active. Such APIs typically do not receive the most up-to-date security coverage.
Severity: Low
Description & related policy: API endpoints published within Azure API Management should enforce authentication to help minimize security risk. Authentication mechanisms are sometimes implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. For APIs published in Azure API Management, this recommendation assesses authentication through verifying the presence of Azure API Management subscription keys for APIs or products where subscription is required, and the execution of policies for validating JWT, client certificates, and Microsoft Entra tokens. If none of these authentication mechanisms are executed during the API call, the API will receive this recommendation.
Severity: High
Description & related policy: API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in excessive data exposure.
Severity: Medium
Description & related policy: API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation to improve the API security.
Severity: Medium
Description & related policy: The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Severity: Low
Description & related policy: APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
Severity: High
Description & related policy: Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. Reference secret named values from Azure Key Vault to improve security of API Management and secrets. Azure Key Vault supports granular access management and secret rotation policies.
Severity: Medium
Description & related policy: To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
Severity: Medium
Description & related policy: To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher.
Severity: Medium
Description & related policy: Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Severity: Medium