Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unrestricted API Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: APIManagement-009

To safeguard your Azure API Management APIs from unauthorized access, it is imperative to implement network access restrictions based on IP addresses. This requires configuring your APIs to accept requests from authorized IP addresses or designated IP address ranges. Unrestricted network access, which permits connections from all IP addresses, is not recommended. To configure the network (IP-based) access for your APIs, a built-in policy named ip-filter must be implemented at the API level.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

By filtering incoming requests based on caller IP addresses in Azure API Management, you can proactively enhance security by preventing access from known malicious sources. This measure mitigates potential threats and ensures that only trusted, designated requests are allowed, minimizing the risk of unauthorized access or attacks on your API infrastructure.

Audit

To determine if your Azure API Management APIs allow unrestricted network access, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to examine.

06 In the resource navigation panel, under APIs, select APIs to access the list of APIs managed by the selected service.

07 Select the API that you want to examine, listed under All APIs.

08 Choose the Design tab, select All operations from the API menu, and check the Policies section for Inbound processing to determine the inbound policies that modify the request before it is sent to the backend service. If the ip-filter policy is not listed in the Policies section, the built-in policy required for filtering API calls from specific IP addresses is not enabled for the selected API resource, therefore, the access to your API is not restricted to trusted, designated IPs only. If the ip-filter policy is available for Inbound processing, continue the Audit process with the next step.

09 Click on the ip-filter policy and find the ip-filter element that has action set to "allow" (i.e. \) in the policy definition. If the address or address-range element contains 0.0.0.0, the access to the selected Azure API Management API is unrestricted.

10 Repeat steps no. 7 - 9 for each API managed by the selected Azure API Management service.

11 Repeat steps no. 5 - 10 for each Azure API Management service available within the current Azure subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run apim list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure API Management service instance available in the current subscription: 

az apim list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested Azure API Management service names: 

Name                           ResourceGroup
----------------------         ------------------------------
cc-main-api-service-instance   cloud-shell-storage-westeurope
cc-project5-service-instance   cloud-shell-storage-westeurope

03 Run apim api list command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to examine and its associated resource group as the identifier parameters to describe the name of each API managed by the selected service: 

az apim api list
  --service-name cc-main-api-service-instance
  --resource-group cloud-shell-storage-westeurope
  --query '[].name'

04 The command output should return the requested Azure API Management API names: 

[
	"cc-worker-api",
	"cc-filter-api"
]

05 Run Get-AzApiManagementPolicy PowerShell command (cmdlet) to describe the policies defined at the API level for the selected Azure API Management API: 

# Get the service instance name and associated resource group
$apimServiceInstance = New-AzApiManagementContext -ResourceGroupName "cloud-shell-storage-westeurope" -ServiceName "cc-main-api-service-instance"

# Get the policies defined for the selected API
Get-AzApiManagementPolicy -Context $apimServiceInstance -ApiId "cc-worker-api"

06 The command output should return the policies configured for the selected API resource: 


<policies>
	<inbound>
		<base />
		<ip-filter action="allow">
			<address>0.0.0.0</address>
		</ip-filter>
	</inbound>
	<backend>
		<base />
	</backend>
	<outbound>
		<base />
	</outbound>
	<on-error>
		<base />
	</on-error>
</policies>

Check the \<policies\>\</policies\> element returned by the Get-AzApiManagementPolicy command output to determine the policies configured for the selected API. For IP-based access, the \<inbound\>\</inbound\> element must contain an ip-filter policy with the action attribute set to "allow" (i.e. \<ip-filter action="allow"\>\</ip-filter\>). If this ip-filter policy is not listed in the \<policies\>\</policies\> element, the built-in policy required for filtering API calls from specific IP addresses is not enabled for the selected API resource, therefore, the access to your API is not restricted to designated IPs only. If the ip-filter policy is available and the address or address-range element contains 0.0.0.0, the access to the selected Azure API Management API is unrestricted.

07 Repeat steps no. 5 and 6 for each API managed by the selected Azure API Management service.

08 Repeat steps no. 3 - 7 for each Azure API Management service available within the current Azure subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To allow API calls from specific, trusted IP addresses/IP address ranges only, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to access.

06 In the main navigation panel, under APIs, select APIs to access the list of APIs managed by the selected service.

07 Select the API that you want to configure, listed under All APIs.

08 Select the Design tab and choose All operations from the API menu, to apply the policy to all operations.

09 If the ip-filter policy is not enabled for the selected API resource, choose + Add policy from the Inbound processing box, select Filter IP addresses (ip-filter) built-in policy, choose Allowed IPs, select + Add IP filter, add the trusted, designated IP addresses/IP address ranges, and choose Save to apply the changes.

10 If the policy is enabled for the selected API, click on the ip-filter policy and find the ip-filter element that has action set to "allow" (i.e. \<ip-filter action="allow"\>) in the policy definition. Remove 0.0.0.0 from the address and address-range elements, add the IP addresses/IP address ranges that are designated to access your API, and choose Save to apply the changes.

11 Repeat steps no. 7 - 10 for each API managed by the selected Azure API Management service.

12 Repeat steps no. 5 - 11 for each Azure API Management service available within the current Azure subscription.

13 Repeat steps no. 3 – 12 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Configure the ip-filter policy required for filtering API calls from specific, trusted IP addresses and save the policy to a XML document named api-policy.xml. Remove 0.0.0.0 from the address and address-range elements, and add the IP addresses/IP address ranges that are designated to access your API. If your API contains other policies, add them to the api-policy.xml file as well. The following example contains only the ip-filter policy. In this example, API access is allowed to IP address 10.0.0.45 and IP address range 10.20.5.30 to 10.20.5.38: 

<policies>
	<inbound>
		<base />
		<ip-filter action="allow">
			<address>10.0.0.45</address>
			<address-range from="10.20.5.30" to="10.20.5.38" />
		</ip-filter>
	</inbound>
	<backend>
		<base />
	</backend>
	<outbound>
		<base />
	</outbound>
	<on-error>
		<base />
	</on-error>
</policies>

02 Run Set-AzApiManagementPolicy PowerShell command (cmdlet) to apply the ip-filter policy defined at the previous step to the selected Azure API Management API (the command does not produce an output): 

# Get the service instance name and associated resource group
$apimServiceInstance = New-AzApiManagementContext -ResourceGroupName "cloud-shell-storage-westeurope" -ServiceName "cc-main-api-service-instance"

# Set the ip-filter built-in for the selected API using the api-policy.xml file
Set-AzApiManagementPolicy -Context $apimServiceInstance -ApiId "cc-worker-api" -PolicyFilePath "api-policy.xml"

03 Run Get-AzApiManagementPolicy PowerShell command (cmdlet) to describe the policy configured for the selected API at the previous step: 

# Get the service instance name and associated resource group
$apimServiceInstance = New-AzApiManagementContext -ResourceGroupName "cloud-shell-storage-westeurope" -ServiceName "cc-main-api-service-instance"

# Get the policies defined for the selected API
Get-AzApiManagementPolicy -Context $apimServiceInstance -ApiId "cc-worker-api"

04 The command output should return the policies configured for the selected API resource: 

<policies>
	<inbound>
		<base />
		<ip-filter action="allow">
			<address>10.0.0.45</address>
			<address-range from="10.20.5.30" to="10.20.5.38" />
		</ip-filter>
	</inbound>
	<backend>
		<base />
	</backend>
	<outbound>
		<base />
	</outbound>
	<on-error>
		<base />
	</on-error>
</policies>

05 Repeat steps no. 1 - 4 for each API managed by the selected Azure API Management service.

06 Repeat steps no. 1 - 5 for each Azure API Management service available within the current Azure subscription.

07 Repeat steps no. 1 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Dec 27, 2023

Related APIManagement rules