Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check the TLS Version Configured for API Gateways

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: APIManagement-007

Ensure that your Azure API Management API gateways are not configured to use weak and deprecated TLS protocols such as TLS 1.0 and TLS 1.1. To follow security best practices and protect your APIs from potential exploits that can target flaws in the older versions of the TLS protocol, ensure that your API gateways are using the the latest supported version of TLS.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

The Transport Layer Security (TLS) protocol addresses network security problems such as tampering and eavesdropping between a client and a server. An Azure API Management service supports multiple versions of the TLS protocol to secure API traffic for both client side and backend side. Using weak and deprecated TLS protocols can increase opportunities for malicious activities such as hacking, Man-in-the-Middle (MITM) and downgrade attacks, therefore it is strongly recommended to use only the latest TLS version.

Audit

To determine the TLS version(s) configured for your Azure API Management API gateways, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to examine.

06 In the navigation panel, under Security, select Protocols + ciphers to access the API gateway's protocol and cipher configuration.

07 Select the Protocols tab and check the Status value for the following protocols: SSL 3.0, TLS 1.0, and TLS 1.1, for both client and backend protocols. If one or more of these protocols (i.e. SSL 3.0, TLS 1.0, and TLS 1.1) are enabled, the API gateway associated with the selected Azure API Management service is configured to use weak and deprecated SSL/TLS protocols.

08 Repeat steps no. 5 – 7 for each Azure API Management service available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run apim list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure API Management service instance available in the current subscription:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az apim list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested Azure API Management service names:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
Name                           ResourceGroup
----------------------         ------------------------------
cc-main-api-service-instance   cloud-shell-storage-westeurope
cc-project5-service-instance   cloud-shell-storage-westeurope

03 Run apim show command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to examine and its associated resource group as the identifier parameters to describe the protocol and cipher configuration for the API gateway associated with the selected service:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az apim show
  --name cc-main-api-service-instance
  --resource-group cloud-shell-storage-westeurope
  --output yaml
  --query 'customProperties'

04 The command output should return the requested configuration details:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls13: 'false'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls13: 'false'
Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2: 'false'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168: 'false'

Check the configuration information returned by the apim show command output and identity the outdated SSL/TLS protocols. The outdated protocols have the following termination: *.Ssl30, *.Tls10, and *.Tls11. If one or more of these protocols are enabled, i.e. their attribute value is set to 'true', as shown in the example above, the API gateway associated with the selected Azure API Management service is configured to use weak and deprecated SSL/TLS protocols.

05 Repeat steps no. 3 and 4 for each Azure API Management service available within the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Azure API Management API gateways don't use weak and deprecated SSL/TLS protocols, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to examine.

06 In the navigation panel, under Security, select Protocols + ciphers to access the API gateway's protocol and cipher configuration.

07 Choose the Protocols tab, select the following deprecated protocols from both Client protocol and Backend protocol lists: SSL 3.0, TLS 1.0, and TLS 1.1, and choose Disable. Choose Save to apply the changes. Configuration changes can take from 15 to 45 minutes to apply.

08 Repeat steps no. 5 – 7 for each Azure API Management service that you want to configure, available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run apim update command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to configure and its associated resource group as the identifier parameters to disable deprecated SSL/TLS protocols such as SSL 3.0, TLS 1.0, and TLS 1.1. The following command request example disables TLS 1.0 for client protocols. For backend protocols use Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.[protocol-version] where [protocol-version] is the SSL/TLS version that you want to disable. The changes can take from 15 to 45 minutes to apply:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az apim update
  --name cc-main-api-service-instance
  --resource-group cloud-shell-storage-westeurope
  --set customProperties='{"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": "false"}'
  --query 'customProperties'

02 The command output should return the new configuration details:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls13: 'false'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10: 'false'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls13: 'false'
Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2: 'false'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168: 'false'

03 Repeat steps no. 1 and 2 for each Azure API Management service that you want to configure, available within the current subscription.

04 Repeat steps no. 1 - 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Dec 27, 2023

Related APIManagement rules