cloud/azure/apimanagement/azure-apim-https-enforcement-missing.yaml

id: azure-apim-https-enforcement-missing
info:
  name: Azure API Management HTTPS Enforcement Not Configured
  author: princechaddha
  severity: high
  description: |
    Ensure that your Azure API Management APIs are configured to enforce HTTPS for all API calls in order to provide secure, encrypted communication, protect data integrity, user privacy, and comply with industry standards.
  impact: |
    Failure to enforce HTTPS can expose API calls to interception and manipulation, potentially leading to data breaches and compliance issues.
  remediation: |
    Configure all Azure API Management APIs to enforce HTTPS by setting the URL scheme to "https" only in the API settings.
  reference:
    - https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-secure-backend
  tags: cloud,devops,azure,microsoft,apim,azure-cloud-config

flow: |
  code(1);
  for (let Service of iterate(template.serviceList)) {
    Service = JSON.parse(Service);
    set("servicename", Service.name);
    set("resourcegroup", Service.resourceGroup);
    code(2);
    for (let Api of iterate(template.apiList)) {
      set("apiid", Api);
      code(3);
    }
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az apim list --output json --query '[*].{name:name, resourceGroup:resourceGroup}'

    extractors:
      - type: json
        name: serviceList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az apim api list -g $resourcegroup -n $servicename  --query '[].name'

    extractors:
      - type: json
        name: apiList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az apim api show --api-id "$apiid" --service-name $servicename --resource-group $resourcegroup --query 'protocols'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "https"

      - type: word
        words:
          - "http"
        negative: true

    extractors:
      - type: dsl
        dsl:
          - '"Service: " + service-name + " API: " + api-id + " does not enforce HTTPS exclusively"'

      - type: dsl
        dsl:
          - stderr
# digest: 4a0a00473045022100ecd14044f77810e641f5b4aa6a0a522e34cd8baa64795b617790ab11d14b657502203a2e97c1b014ee18c5c0456a99edb46a0769507b5c03a61857e99082d85fb547:922c64590222798bb761d5b6d8e72950
accesscontrol + activedirectory + aiservices + aks + apimanagement templates 2024-08-29 19:12:10 +05:30			`id: azure-apim-https-enforcement-missing`
			`info:`
			`name: Azure API Management HTTPS Enforcement Not Configured`
			`author: princechaddha`
			`severity: high`
			`description: \|`
			`Ensure that your Azure API Management APIs are configured to enforce HTTPS for all API calls in order to provide secure, encrypted communication, protect data integrity, user privacy, and comply with industry standards.`
			`impact: \|`
			`Failure to enforce HTTPS can expose API calls to interception and manipulation, potentially leading to data breaches and compliance issues.`
			`remediation: \|`
			`Configure all Azure API Management APIs to enforce HTTPS by setting the URL scheme to "https" only in the API settings.`
			`reference:`
			`- https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-secure-backend`
			`tags: cloud,devops,azure,microsoft,apim,azure-cloud-config`
Revert "chore: update TemplateMan 🤖" This reverts commit c31d574176f2b9e6f8d4fe573a24e7192f808e84. 2025-05-27 10:39:47 +08:00
accesscontrol + activedirectory + aiservices + aks + apimanagement templates 2024-08-29 19:12:10 +05:30			`flow: \|`
			`code(1);`
			`for (let Service of iterate(template.serviceList)) {`
			`Service = JSON.parse(Service);`
			`set("servicename", Service.name);`
			`set("resourcegroup", Service.resourceGroup);`
			`code(2);`
			`for (let Api of iterate(template.apiList)) {`
			`set("apiid", Api);`
			`code(3);`
			`}`
			`}`

			`self-contained: true`
			`code:`
			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`az apim list --output json --query '[*].{name:name, resourceGroup:resourceGroup}'`

			`extractors:`
			`- type: json`
			`name: serviceList`
			`internal: true`
			`json:`
			`- '.[]'`

			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`az apim api list -g $resourcegroup -n $servicename --query '[].name'`

			`extractors:`
			`- type: json`
			`name: apiList`
			`internal: true`
			`json:`
			`- '.[]'`

			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`az apim api show --api-id "$apiid" --service-name $servicename --resource-group $resourcegroup --query 'protocols'`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
			`- "https"`

			`- type: word`
			`words:`
			`- "http"`
			`negative: true`

			`extractors:`
			`- type: dsl`
			`dsl:`
			`- '"Service: " + service-name + " API: " + api-id + " does not enforce HTTPS exclusively"'`

			`- type: dsl`
			`dsl:`
			`- stderr`
chore: sign templates 🤖 2024-12-01 13:57:55 +00:00			`# digest: 4a0a00473045022100ecd14044f77810e641f5b4aa6a0a522e34cd8baa64795b617790ab11d14b657502203a2e97c1b014ee18c5c0456a99edb46a0769507b5c03a61857e99082d85fb547:922c64590222798bb761d5b6d8e72950`