Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use System-Assigned Managed Identities for Azure API Management Services

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: APIManagement-010

Ensure that your Azure API Management service instances are using system-assigned managed identities in order to allow secure access to other Microsoft Azure protected resources such as Azure Key Vaults. System-assigned managed identities minimizes risks, simplifies management, and maintains compliance with evolving cloud services.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Operational
excellence

Using system-assigned managed identities for Azure API Management services enhances security by allowing the API service instances to authenticate and authorize with Azure resources without the need for explicit credentials, reducing the risk associated with credential management and providing a seamless and more secure integration with other cloud services.


Audit

To determine if your Azure API Management services are configured to use system-assigned managed identities, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to examine.

06 In the navigation panel, under Security, select Managed identities to access the identity-based settings configured for the selected service instance.

07 Select the System assigned tab and check the configuration setting status available under Status. If Status is set to Off, the selected Azure API Management service instance is not using a system-assigned managed identity.

08 Repeat steps no. 5 – 7 for each Azure API Management service available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run apim list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure API Management service instance available in the current subscription:

az apim list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested Azure API Management service names:

Name                           ResourceGroup
----------------------         ------------------------------
cc-main-api-service-instance   cloud-shell-storage-westeurope
cc-project5-service-instance   cloud-shell-storage-westeurope

03 Run apim show command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to examine and its associated resource group as the identifier parameters to determine the identity type configured for the selected instance:

az apim show
  --name cc-main-api-service-instance
  --resource-group cloud-shell-storage-westeurope
  --query 'identity.type'

04 The command output should return the identity type used (system-assigned or user-assigned):

"UserAssigned"

If the apim show command does not return an output, the system-assigned managed identity is not enabled for the selected service instance. If the command output returns "UserAssigned", as shown in the example above, the selected Azure API Management service instance is not using a system-assigned managed identity.

05 Repeat steps no. 3 and 4 for each Azure API Management service available within the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Azure API Management service instances are configured to use system-assigned managed identities, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to configure.

06 In the navigation panel, under Security, select Managed identities to access the identity-based settings configured for the selected service instance.

07 Choose the System assigned tab and select On under Status to enable the system-assigned managed identity for the selected Azure API Management service instance. Choose Yes to confirm the changes. The selected service instance is now registered with Microsoft Entra ID and the managed identity can be configured to allow access to other Azure cloud resources based on your application requirements.

08 Repeat steps no. 5 – 7 for each Azure API Management service that you want to configure, available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run Set-AzApiManagement PowerShell command (cmdlet) to enable the system-assigned managed identity for the selected Azure API Management service instance (the command does not produce an output). The service instance is now registered with Microsoft Entra ID and the managed identity can be configured to allow access to other Azure cloud resources based on your application requirements:

# Get the service instance name and associated resource group
$apimServiceInstance = Get-AzApiManagement -ResourceGroupName "cloud-shell-storage-westeurope" -Name "cc-main-api-service-instance"

# Update the service instance to assign the system-assigned managed identity
Set-AzApiManagement -InputObject $apimServiceInstance -SystemAssignedIdentity

02 Repeat step no. 1 for each Azure API Management service that you want to configure, available within the current subscription.

03 Repeat steps no. 1 and 2 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Dec 27, 2023