Azure API Management Service System-Assigned Managed Identity Not Configured
ID: azure-apim-system-assigned-identity-unconfigured
Severity: medium
Author: princechaddha
Tags: cloud,devops,azure,microsoft,api-management,azure-cloud-config
Description
Section titled “Description”Ensure that your Azure API Management service instances are using system-assigned managed identities in order to allow secure access to other Microsoft Azure protected resources such as Azure Key Vaults. Using system-assigned managed identities minimizes risks, simplifies management, and maintains compliance with evolving cloud services.
YAML Source
Section titled “YAML Source”id: azure-apim-system-assigned-identity-unconfiguredinfo: name: Azure API Management Service System-Assigned Managed Identity Not Configured author: princechaddha severity: medium description: | Ensure that your Azure API Management service instances are using system-assigned managed identities in order to allow secure access to other Microsoft Azure protected resources such as Azure Key Vaults. Using system-assigned managed identities minimizes risks, simplifies management, and maintains compliance with evolving cloud services. impact: | If system-assigned managed identities are not enabled for Azure API Management service instances, it may lead to insecure access management and complicates credentials management, increasing the risk of security breaches. remediation: | Enable system-assigned managed identities for your Azure API Management service instances through the Azure portal or by configuring the ARM template of your instance to include a system-assigned identity. reference: - https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-use-managed-service-identity tags: cloud,devops,azure,microsoft,api-management,azure-cloud-config
flow: | code(1); for (let ApiService of iterate(template.apiServiceList)) { ApiService = JSON.parse(ApiService); set("name", ApiService.name); set("resourceGroup", ApiService.resourceGroup); code(2); }
self-contained: truecode: - engine: - sh - bash source: | az apim list --output json --query '[*].{name:name, resourceGroup:resourceGroup}'
extractors: - type: json name: apiServiceList internal: true json: - '.[]'
- engine: - sh - bash source: | az apim show --name "$name" --resource-group "$resourceGroup" --query 'identity.type'
matchers-condition: and matchers: - type: word words: - "UserAssigned" - "none"
extractors: - type: dsl dsl: - 'name + " in " + resourceGroup + " does not have a system-assigned managed identity enabled"'# digest: 4b0a00483046022100f496c2598d8552c0f41009f2add575a7b33bbd99f36cdfe69b39e38992cb69a8022100b61dd7611417eeed2bc46c93477ff56f9c3b0340e93157ee76cd616857bdd699:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/apimanagement/azure-apim-system-assigned-identity-unconfigured.yaml"