API Management Service has default products present

Security · API Management · Rule · 2020_06 · Awareness

API Management Services with default products configured may expose more APIs than intended.

Description

API Management includes two sample products Starter and Unlimited. These products are created by default when an API Management Service using V1 plans is created.

In both cases, these products are created with a default set of developer permissions that may be too permissive. Accidentally adding APIs to these sample products may expose API metadata to unauthorized users.

Before publishing APIs, plan access control for API development and usage. Additional products or workspaces can be created to manage discovery of APIs and enforce usage policies.

Recommendation

Consider removing starter and unlimited products from API Management to reduce the risk of unauthorized API discovery.

Notes

This rule applies when analyzing API Management Services (in-flight) and running within Azure.

Links

• SE:08 Hardening resources
• Create and publish a product

Comments