Skip to content

Require approval for products#

Security · API Management · Rule · 2020_06 · Important

Configure products to require approval.

Description#

When publishing APIs through Azure API Management (APIM), APIs can optionally be assigned to products. Products are a grouping and management construct within API Management. API Management uses products:

  • To organize APIs and make them available to developers via the developer portal. For an API to be discoverable within the developer portal, it must be assigned to a published product.
  • To control access and assign policies to APIs with subscription keys. Subscription keys are a form of credential secret that is used to authenticate a client application to an API. Examples of policies include throttling, caching, and transformation.

Requiring subscriptions on products and requiring approval is an optional security control within API Management. However, for authorizing access to APIs it is recommended to use stronger forms of authorization such as OAuth 2.0.

Using subscriptions and approval on products helps by:

  • Reducing the risk of unintended exposure of APIs.
  • Allowing organization governance processes to ensure any issued subscription keys are stored securely, rotated, and expired.

If a product does not require subscriptions (called an open product):

  • Any API assigned to that product can be called without a subscription key. This applies even if the API is configured to require a subscription key.

If a product requires subscriptions, but does not require approval:

  • A subscription key can be generated by any developer portal user with permission to the product.

Recommendation#

Consider configuring all API Management products to require approval.

Examples#

Configure with Azure template#

To deploy API Management Products that pass this rule:

  • Set the properties.approvalRequired property to true.

For example:

Azure Template snippet
{
  "type": "Microsoft.ApiManagement/service/products",
  "apiVersion": "2022-08-01",
  "name": "[format('{0}/{1}', parameters('name'), 'echo')]",
  "properties": {
    "displayName": "Echo",
    "description": "Echo API services for Contoso.",
    "approvalRequired": true,
    "subscriptionRequired": true
  },
  "dependsOn": [
    "[resourceId('Microsoft.ApiManagement/service', parameters('name'))]"
  ]
}

Configure with Bicep#

To deploy API Management Products that pass this rule:

  • Set the properties.approvalRequired property to true.

For example:

Azure Bicep snippet
resource product 'Microsoft.ApiManagement/service/products@2022-08-01' = {
  parent: service
  name: 'echo'
  properties: {
    displayName: 'Echo'
    description: 'Echo API services for Contoso.'
    approvalRequired: true
    subscriptionRequired: true
  }
}

Comments