Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Secure access to APIs using client certificates

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Azure API Management service instances are configured to use client certificates for authentication in order to enhance security and establish trust between API clients and Azure API Management.

Security

Securing access to Azure API Management services using client certificates provides an additional layer of authentication and ensures that only authorized clients with the correct certificates can access the APIs, enhancing overall security and protecting sensitive data. Using client certificates makes it much more difficult for attackers to intercept and modify API calls.

Audit

To determine if your Azure API Management services are configured to use client certificates, perform the following operations:

Determining whether your Azure API Management services are configured to use client certificates via Azure Command Line Interface (Azure CLI) is not currently supported.

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to examine.

06 In the navigation panel, under Security, select Certificates.

07 Select the Certificates tab and check for any client certificates associated with your API service. If there are no certificates listed on this page, there are no client certificates associated with the selected Azure API Management service. If one or more active client certificates are present, continue the Audit process with the next step.

08 In the navigation panel, under Deployment + infrastructure, select Custom domains.

09 If your API service tier is Developer, Basic, Standard, or Premium, click on the hostname of the Azure API Management API gateway configured for your service and check the Negotiate client certificate setting status. If the setting is disabled (i.e. the checkbox is not selected), the selected Azure API Management service is not configured to use client certificates. If your API service tier is Consumption, check the Request client certificate setting status under Client certificates. If the setting is disabled (i.e. Request client certificate is set to No), the selected Azure API Management service is not configured to client certificates.

10 Repeat steps no. 5 – 9 for each Azure API Management service available in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Azure API Management services are configured to use client certificates in order to secure access to your APIs, perform the following operations:

Configuring Azure API Management services to use client certificates via Azure Command Line Interface (Azure CLI) is not currently supported.

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to examine.

06 In the navigation panel, under Security, select Certificates.

07 Select the Certificates tab, choose Add, and perform the following actions:

  1. Provide a unique identifier for the certificate in the Id box.
  2. For Certificate, select the type of the certificate. To add an Azure Key Vault certificate choose Key Vault, use Select under Certificate key vault id to choose the required certificate and its key vault, and choose Select to apply the changes. For Client identity, select a system or user assigned managed identity to access the key vault. To upload a client certificate, choose Custom, browse to select the required certificate (.pfx file format), and enter the certificate password in the Password box.
  3. Choose Add to add a new client certificate to your Azure API Management service.

08 In the navigation panel, under Deployment + infrastructure, select Custom domains to configure your API Management service instance to receive and verify client certificates.

09 If your API service tier is Developer, Basic, Standard, or Premium, click on the hostname of the Azure API Management API gateway configured for your API service and select the Negotiate client certificate checkbox. Choose Update to save the changes. If your API service tier is Consumption, select Yes next to Request client certificate, under Client certificates. This enforces a client certificate to be presented on each request made to your API gateway. Choose Save to apply the changes.

10 Set up the validate-client-certificate inbound policy to validate the client certificate. You can configure the policy to validate one or more attributes such as certificate issuer, thumbprint, certificate subject, etc.

11 Repeat steps no. 5 – 10 for each Azure API Management service that you want to configure, available in the selected Azure subscription.

12 Repeat steps no. 3 – 11 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Dec 26, 2023

Related APIManagement rules