Use base APIM policy element#
Security · API Management · Rule · 2023_06 · Important
Base element for any policy element in a section should be configured.
Description#
Determine the policy evaluation order by placement of the base (<base />) element in each section in the policy definition at each scope.
API Management supports the following scopes Global (all API), Workspace, Product, API, or Operation.
The base element inherits the policies configured in that section at the next broader (parent) scope.
Otherwise inherited security or other controls may not apply.
The base element can be placed before or after any policy element in a section, depending on the wanted evaluation order.
However, if security controls are defined in inherited scopes it may decrease the effectiveness of these controls.
For most cases, unless otherwise specified in the policy reference (such as cors) the base element should be specified as the first element in each section.
A specific exception is at the Global scope. The Global scope does not need the base element because this is the peak scope from which all others inherit.
Recommendation#
Consider configuring the base element for each policy section.
Examples#
Configure with Bicep#
To deploy API Management policies that pass this rule:
- Configure an policy sub-resource.
- Define each of the policy sections in the policy XML:
inbound,backend,outbound, andon-error. - Configure the base element before or after any policy element in a section in
properties.valueproperty.
For example an API policy:
resource apiName_policy 'Microsoft.ApiManagement/service/apis/policies@2021-08-01' = {
parent: api
name: 'policy'
properties: {
value: '<policies><inbound><base /><ip-filter action=\"allow\"><address-range from=\"10.1.0.1\" to=\"10.1.0.255\" /></ip-filter></inbound><backend><base /></backend><outbound><base /></outbound><on-error><base /></on-error></policies>'
format: 'xml'
}
}
Additionally you can import this from a file using the loadTextContent Bicep function:
resource apiName_policy 'Microsoft.ApiManagement/service/apis/policies@2021-08-01' = {
parent: api
name: 'policy'
properties: {
value: loadTextContent('./policy.xml')
format: 'xml'
}
}
Where policy.xml contains the policy XML:
<policies>
<inbound>
<base />
<ip-filter action="allow">
<address-range from="10.1.0.1" to="10.1.0.255" />
</ip-filter>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
Configure with Azure template#
To deploy API Management policies that pass this rule:
- Configure an policy sub-resource.
- Define each of the policy sections in the policy XML:
inbound,backend,outbound, andon-error. - Configure the base element before or after any policy element in a section in
properties.valueproperty.
For example an API policy:
{
"type": "Microsoft.ApiManagement/service/apis/policies",
"apiVersion": "2021-08-01",
"name": "[format('{0}/{1}', parameters('name'), 'policy')]",
"properties": {
"value": "<policies><inbound><base /><ip-filter action=\"allow\"><address-range from=\"10.1.0.1\" to=\"10.1.0.255\" /></ip-filter></inbound><backend><base /></backend><outbound><base /></outbound><on-error><base /></on-error></policies>",
"format": "xml"
},
"dependsOn": [
"[resourceId('Microsoft.ApiManagement/service/apis', parameters('name'))]"
],
}
Notes#
The rule only checks against rawxml and xml policy formatted content.
Global policies are excluded since they don't benefit from the base element.
This rule will fail if the policy XML does not contain all sections.
Check that inbound, backend, outbound, and on-error are all present.
Links#
- Secure application configuration and dependencies
- Things to know
- Mitigate OWASP API threats
- Apply policies specified at different scopes
- Azure deployment reference
- Azure deployment reference
- Azure deployment reference
- Azure deployment reference