Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use User-Assigned Managed Identities for Azure API Management Services

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: APIManagement-011

Ensure that your Azure API Management service instances are using user-assigned managed identities for fine-grained control over access permissions.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Operational
excellence

In Azure cloud, user-assigned identities encompass a broader range of roles beyond "Read-Only", "Contributor", and "Owner" support. Therefore, Azure API Management services should use user-assigned managed identities to provide granular control over access permissions, enable integration with existing identity systems, and support specific application requirements. User-assigned managed identities offer flexibility in managing identities and access control for Azure API Management service instances, allowing for fine-grained customization based on individual needs.

Audit

To determine if your Azure API Management services are configured to use user-assigned managed identities, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to examine.

06 In the navigation panel, under Security, select Managed identities to access the identity-based settings configured for the selected service instance.

07 Select the User assigned tab and check for any user-assigned managed identities associated with the selected resource. If there are no identities listed on this page, instead the following message is displayed: No user assigned managed identities found on this resource, the selected Azure API Management service instance is not using user-assigned managed identities.

08 Repeat steps no. 5 – 7 for each Azure API Management service available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run apim list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure API Management service instance available in the current subscription: 

az apim list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested Azure API Management service names: 

Name                           ResourceGroup
----------------------         ------------------------------
cc-main-api-service-instance   cloud-shell-storage-westeurope
cc-project5-service-instance   cloud-shell-storage-westeurope

03 Run apim show command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to examine and its associated resource group as the identifier parameters to determine the identity type configured for the selected instance: 

az apim show
  --name cc-main-api-service-instance
  --resource-group cloud-shell-storage-westeurope
  --query 'identity.type'

04 The command output should return the identity type used (user-assigned or user-assigned): 

"SystemAssigned"

If the apim show command does not return an output, there are no managed identities associated with the selected resource. If the command output returns "SystemAssigned", as shown in the example above, the selected Azure API Management service instance is not using user-assigned managed identities.

05 Repeat steps no. 3 and 4 for each Azure API Management service available within the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Azure API Management service instances are configured to use user-assigned managed identities, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to configure.

06 In the navigation panel, under Security, select Managed identities to access the identity-based settings configured for the selected service instance.

07 Select the User assigned tab and choose Add from the top menu to add your user-assigned managed identity to the selected Azure API Management service.

08 Select your Azure subscription from the Select a subscription dropdown list and choose the user-assigned managed identity that you want to assign to your Azure API Management service instance, from the User assigned managed identities list. Select the appropriate identity and choose Add to apply the changes.

09 Repeat steps no. 5 – 8 for each Azure API Management service that you want to configure, available in the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run Set-AzApiManagement PowerShell command (cmdlet) to enable and configure a user-assigned managed identity for the selected Microsoft Azure API Management service instance (the command does not produce an output): 

# Get the service instance name and associated resource group
$apimServiceInstance = Get-AzApiManagement -ResourceGroupName "cloud-shell-storage-westeurope" -Name "cc-main-api-service-instance"

# Create a new user-assigned managed identity
$userAssignedIdentity = New-AzUserAssignedIdentity -Name "cc-apim-service-user-identity" -ResourceGroupName "cloud-shell-storage-westeurope"

# Update the service instance to assign the new user-assigned managed identity
$userIdentities = @($userAssignedIdentity.Id)
Set-AzApiManagement -InputObject $apimServiceInstance -UserAssignedIdentity $userIdentities

02 Repeat step no. 1 for each Azure API Management service that you want to configure, available within the current subscription.

03 Repeat steps no. 1 and 2 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Dec 27, 2023

Related APIManagement rules