Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Prevent the Exposure of Credentials and Secrets using Encrypted Named Values

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: APIManagement-004

Ensure that all the named values used to define secret data within Azure API Management policies are encrypted in order to prevent the exposure of credentials and secrets.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

You can define secret and confidential information for your Azure API Management services using named values. These are collections of name/value pairs that can be used to manage secrets across API configurations and policies. Named values can use plaintext values, secrets encrypted by Azure API Management, or secrets managed with Azure Key Vaults. Preventing exposure of credentials and secrets in Azure API Management using secrets ensures enhanced security by storing sensitive information in an encrypted format. This mitigates the risk of unauthorized access and data breaches, maintaining the confidentiality of crucial data and bolstering overall system integrity.

Audit

To determine if named values are encrypted in Azure API Management, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to examine.

06 In the main navigation panel, under APIs, select Named values to access the list of named values defined for the selected service.

07 Click on the name (identifier) of the named value used to define credentials and/or secrets for the selected Azure API Management service.

08 Check the named value type selected from the Type dropdown list. If the type of the named value is Plain, the secret data managed by the selected named value is stored in plaintext, making the data vulnerable to unauthorized access.

09 Repeat steps no. 7 and 8 for each named value that you want to examine, created for the selected Azure API Management service.

10 Repeat steps no. 5 - 9 for each Azure API Management service available within the current Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run apim list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure API Management service instance available in the current subscription: 

az apim list 
  --output table 
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested Azure API Management service names: 

Name                           ResourceGroup
----------------------         ------------------------------
cc-main-api-service-instance   cloud-shell-storage-westeurope
cc-project5-service-instance   cloud-shell-storage-westeurope

03 Run apim nv list command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to examine and its associated resource group as the identifier parameters to describe the identifier of each named value created for the selected service: 

az apim nv list 
  --service-name cc-main-api-service-instance  
  --resource-group cloud-shell-storage-westeurope 
  --query '[].name'

04 The command output should return the requested named value identifiers: 

[
	"APIToken",
	"APIPassCode"
]

05 Run apim nv show command (Windows/macOS/Linux) to determine the type of the named value used to define credentials and/or secrets for the selected Azure API Management service. The value type can be either plain (plaintext) or secret (encrypted): 

az apim nv show 
  --service-name cc-main-api-service-instance  
  --resource-group cloud-shell-storage-westeurope 
  --named-value-id APIToken 
  --query 'secret'

06 The command output should return true if the value is stored as a secret (encrypted) and false if the value is stored in plaintext: 

false

If the value returned by the apim nv show command output is false, as shown in the example above, the secret data managed by the selected named value is stored in plaintext, making the data vulnerable to unauthorized access.

07 Repeat steps no. 5 and 6 for each named value that you want to examine, created for the selected Azure API Management service.

08 Repeat steps no. 3 - 7 for each Azure API Management service available within the current Azure subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

With Azure API Management named values, secret data can be stored either as encrypted strings or by referencing secrets in Azure Key Vault. To ensure that your named values are encrypted to prevent the exposure of secrets, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to access.

06 In the main navigation panel, under APIs, select Named values.

07 Choose + Add to create a new Azure API Management named value for your secret.

08 On the Add named value setup page, perform the following actions:

  1. Provide a unique name for the new named value in the Name box.
  2. For Display name, enter a name that can used for referencing the property in the API policy.
  3. (Optional) For Tags, choose + to add tags to the new resource.
  4. For Type, choose one of the following options:
    • Select Secret to encrypt the secret value with Azure API Management. For Value, enter the secret value that you want to store with the new named value.
    • Select Key vault, choose Select next to Secret, and select the secret resource created and stored within Azure Key Vault. Choose Select to confirm the selection. To create a new secret with Azure Key Vault, choose Create new key vault and Create new to generate the new secret. Once the Key Vault secret is selected, choose the system-assigned or user-assigned managed identity required to access the Key Vault. To improve API Management service security and achieve regulatory compliance, it is highly recommended to use Key Vault secrets.
  5. Choose Save to apply the changes.

09 Once the new, encrypted named value is referenced in the Azure API Management policy, you can remove the non-compliant named value that holds the secret data in plaintext. On the Named values listing page, choose the non-compliant named value, click on the 3-dot options button, and select Delete. Choose Yes to confirm the resource deletion.

10 Repeat steps no. 5 - 9 for each Azure API Management service available within the current Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run apim nv create command (Windows/macOS/Linux) to create a new named value with the secret value encrypted by Azure API Management. Replace \ with your own secret data: 

az apim nv create 
  --resource-group cloud-shell-storage-westeurope 
  --display-name cc-api-secret-token 
  --named-value-id APISecretToken 
  --secret true 
  --service-name cc-main-api-service-instance 
  --value <your-secret-value>

02 The command output should return the information available for the new, encrypted named value: 

{
	"displayName": "cc-api-secret-token",
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ApiManagement/service/cc-main-api-service-instance/namedValues/APISecretToken",
	"keyVault": null,
	"name": "APISecretToken",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"secret": true,
	"tags": null,
	"type": "Microsoft.ApiManagement/service/namedValues",
	"value": null
}

03 Run New-AzApiManagementNamedValue PowerShell command (cmdlet) to create the required Azure Key Vault secret and generate a new named value that utilizes the Key Vault secret as secret data: 

# Create a new Azure Key Vault
New-AzKeyVault -Name "cc-apim-key-vault" -ResourceGroupName "cloud-shell-storage-westeurope" -Location "westeurope"

# Apply the required permissions to the new Key Vault:
Set-AzKeyVaultAccessPolicy -VaultName "cc-apim-key-vault" -UserPrincipalName "user@domain.com" -PermissionsToSecrets get,list,set

# Convert the plaintext string to secure string. Replace <your-secret-value> with your own secret data
$SecretValue = ConvertTo-SecureString "<your-secret-value>" -AsPlainText -Force

# Create the Key Vault secret
$secret = Set-AzKeyVaultSecret -VaultName "cc-apim-key-vault" -Name "cc-apim-token" -SecretValue $SecretValue

# Get the API Management service instance name and associated resource group
$apimServiceInstance = New-AzApiManagementContext -ResourceGroupName "cloud-shell-storage-westeurope" -ServiceName "cc-main-api-service-instance"

# Create the required KeyVault secret
$KeyVault = New-AzApiManagementKeyVaultObject -SecretIdentifier $secret

# Create a new named value using the secret from the Key Vault
$KeyVaultNamedValue = New-AzApiManagementNamedValue -Context $apimServiceInstance -NamedValueId "APISecretToken" -Name "cc-api-secret-token" -keyVault $KeyVault -Secret

04 Repeat steps no. 1 - 3 for each Azure API Management service available within the current Azure subscription.

05 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Dec 27, 2023

Related APIManagement rules