Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enforce HTTPS

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: APIManagement-002

Ensure that your Azure API Management APIs are configured to enforce HTTPS for all API calls in order to provide secure, encrypted communication, protect data integrity, user privacy, and comply with industry standards.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Enforcing HTTPS for all API calls within Azure API Management enhances security and protects sensitive data. It prevents interception, ensures authentication, and maintains compatibility with modern browsers. Following best practices demonstrates your commitment to data security.


Audit

To determine if your Azure API Management APIs are configured to enforce HTTPS for all API calls, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to examine.

06 In the main navigation panel, under APIs, select APIs to access the list of APIs managed by the selected service.

07 Select the API that you want to examine, listed under All APIs.

08 Choose the Settings tab and check the URL scheme configuration setting listed in the General section. If the URL scheme is not set to HTTPS, the selected Azure API Management API is not configured to enforce HTTPS for API calls.

09 Repeat steps no. 5 – 8 for each API managed by the selected Azure API Management service.

10 Repeat steps no. 5 – 9 for each Azure API Management service available in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run apim list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure API Management service instance available in the current subscription:

az apim list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested Azure API Management service names:

Name                           ResourceGroup
----------------------         ------------------------------
cc-main-api-service-instance   cloud-shell-storage-westeurope
cc-project5-service-instance   cloud-shell-storage-westeurope

03 Run apim api list command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to examine and its associated resource group as the identifier parameters to describe the name of each API managed by the selected service:

az apim api list
  --service-name cc-main-api-service-instance
  --resource-group cloud-shell-storage-westeurope
  --query '[].name'

04 The command output should return the requested Azure API Management API names:

[
	"cc-worker-api",
	"cc-filter-api"
]

05 Run apim api show command (Windows/macOS/Linux) using the name of the Azure API Management API that you want to examine as the identifier parameter to describe the types of the protocols used for the API URL scheme:

az apim api show
  --api-id "cc-worker-api"
  --service-name cc-main-api-service-instance
  --resource-group cloud-shell-storage-westeurope
  --query 'protocols'

06 The command output should return the protocol(s) configured for the URL scheme:

[
	"http"
]

Check the array returned by the apim api show command output to determine the URL scheme configured for your API. If the URL scheme is not set to "https" only, the selected Azure API Management API is not configured to enforce HTTPS for API calls.

07 Repeat steps no. 5 and 6 for each API managed by the selected Azure API Management service.

08 Repeat steps no. 3 - 7 for each Azure API Management service available in the selected Azure subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Azure API Management APIs are configured to enforce HTTPS for all API calls, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to access.

06 In the main navigation panel, under APIs, select APIs to access the list of APIs managed by the selected service.

07 Select the API that you want to configure, listed under All APIs.

08 Choose the Settings tab and set the URL scheme to HTTPS to enforce HTTPS for all API requests made to the selected Azure API Management API. Choose Save to apply the changes.

09 Repeat steps no. 7 and 8 for each API managed by the selected Azure API Management service.

10 Repeat steps no. 5 - 9 for each Azure API Management service available in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run apim api update command (Windows/macOS/Linux) using the name of the Azure API Management API that you want to configure as the identifier parameter to enforce HTTPS for all API requests made to the selected API by setting the --protocols configuration parameter to https:

az apim api update
  --api-id "cc-worker-api"
  --service-name cc-main-api-service-instance
  --resource-group cloud-shell-storage-westeurope
  --protocols https

02 The command output should return the API configuration information:

{
	"apiRevision": "1",
	"apiRevisionDescription": null,
	"apiType": null,
	"apiVersion": null,
	"apiVersionDescription": null,
	"apiVersionSet": null,
	"apiVersionSetId": null,
	"authenticationSettings": {
		"oAuth2": null,
		"oAuth2AuthenticationSettings": null,
		"openid": null,
		"openidAuthenticationSettings": null
	},
	"contact": null,
	"description": null,
	"displayName": "Worker API",
	"id": "/subscriptions/b6d0a59c-13ae-4723-8f1c-7123bda03097/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ApiManagement/service/cc-main-api-service-instance/apis/cc-worker-api",
	"isCurrent": true,
	"isOnline": null,
	"license": null,
	"name": "cc-worker-api",
	"path": "worker",
	"protocols": [
		"https"
	],
	"resourceGroup": "cloud-shell-storage-westeurope",
	"serviceUrl": "http://workerapi.cloudapp.net/api",
	"sourceApiId": null,
	"subscriptionKeyParameterNames": {
		"header": "Ocp-Apim-Subscription-Key",
		"query": "subscription-key"
	},
	"subscriptionRequired": true,
	"termsOfServiceUrl": null,
	"type": "Microsoft.ApiManagement/service/apis"
}

03 Repeat steps no. 1 and 2 for each API managed by the selected Azure API Management service.

04 Repeat steps no. 1 – 3 for each Azure API Management service available in the selected Azure subscription.

05 Repeat steps no. 1 - 4 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Dec 26, 2023