Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check the Cipher Suites Configured for API Gateways

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Azure API Management API gateways are not configured to use weak or deprecated TLS ciphers for client and backend communication. The following TLS ciphers are considered weak or deprecated:

  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA (TRIPLE DES)
Security

Weak or deprecated ciphers are vulnerable to security attacks and can expose sensitive data to unauthorized personnel. Ensuring that Azure API Management API gateways are not configured to use vulnerable TLS ciphers is crucial for maintaining a secure and compliant API infrastructure.

Audit

To determine the TLS ciphers configured for your Azure API Management API gateways, perform the following actions:

Getting the TLS ciphers configured for Azure API Management API gateways via Azure Command Line Interface (Azure CLI) is not currently supported.

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to examine.

06 In the navigation panel, under Security, select Protocols + ciphers to access the API gateway's protocol and cipher configuration.

07 Select the Ciphers tab and check the Status value for the following ciphers: TLS_RSA_WITH_3DES_EDE_CBC_SHA (Triple DES), TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, and TLS_RSA_WITH_AES_128_GCM_SHA256. If one or more of these ciphers are enabled, the API gateway associated with the selected Azure API Management service is configured to use weak or deprecated TLS ciphers. If a deprecated cipher is enabled, the Azure Portal will also display the following message: Weak cipher enabled.

08 Repeat steps no. 5 – 7 for each Azure API Management service available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Azure API Management API gateways don't use weak or deprecated TLS ciphers, perform the following actions:

IMPORTANT: Disabling TLS ciphers may break client or backend connectivity.

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to examine.

06 In the navigation panel, under Security, select Protocols + ciphers to access the API gateway's protocol and cipher configuration.

07 Select the Ciphers tab, choose Hide required ciphers, select the following deprecated TLS ciphers: TLS_RSA_WITH_3DES_EDE_CBC_SHA (Triple DES), TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, and TLS_RSA_WITH_AES_128_GCM_SHA256, and choose Disable. Select Save to apply the changes. Configuration changes can take from 15 to 45 minutes to apply.

08 Repeat steps no. 5 – 7 for each Azure API Management service that you want to configure, available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run apim update command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to configure and its associated resource group as the identifier parameters to disable weak or deprecated TLS ciphers such as TLS_RSA_WITH_3DES_EDE_CBC_SHA (Triple DES), TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, and TLS_RSA_WITH_AES_128_GCM_SHA256. The following command request example disables cipher TLS_RSA_WITH_AES_128_GCM_SHA256. The changes can take from 15 to 45 minutes to apply: 

az apim update 
  --name cc-main-api-service-instance 
  --resource-group cloud-shell-storage-westeurope 
  --set customProperties='{"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256": "false"}'

02 The command output should return the information available for the configured Azure API Management service: 

{
	"additionalLocations": null,
	"apiVersionConstraint": {
		"minApiVersion": null
	},
	"certificates": null,
	"customProperties": {
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2": "False",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30": "False",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10": "False",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11": "False",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls13": "False",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256": "False",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168": "False",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30": "False",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": "False",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11": "False",
		"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls13": "False"
	},
	"developerPortalUrl": "https://cc-main-api-service-instance.developer.azure-api.net",
	"disableGateway": false,
	"enableClientCertificate": null,
	"gatewayUrl": "https://cc-main-api-service-instance.azure-api.net",
	"location": "West Europe",
	"managementApiUrl": "https://cc-main-api-service-instance.management.azure-api.net",
	"name": "cc-main-api-service-instance",
	"natGatewayState": "Unsupported",
	"platformVersion": "stv2",
	"portalUrl": "https://cc-main-api-service-instance.portal.azure-api.net",
	"privateEndpointConnections": null,
	"privateIpAddresses": null,
	"provisioningState": "Succeeded",
	"publicIpAddressId": null,
	"publicNetworkAccess": "Enabled",
	"publisherName": "TrendMicro",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"restore": null,
	"scmUrl": "https://cc-main-api-service-instance.scm.azure-api.net",
	"sku": {
		"capacity": 1,
		"name": "Developer"
	},
	"tags": {},
	"targetProvisioningState": "",
	"type": "Microsoft.ApiManagement/service",
	"virtualNetworkConfiguration": null,
	"virtualNetworkType": "None",
	"zones": null
}

03 Repeat steps no. 1 and 2 for each Azure API Management service that you want to configure, available within the current subscription.

04 Repeat steps no. 1 - 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Dec 26, 2023

Related APIManagement rules