API/API management security recommendations

This article lists all the API/API management security recommendations you might see in Microsoft Defender for Cloud.

The recommendations that appear in your environment are based on the resources that you're protecting and on your customized configuration. You can see the recommendations in the portal that apply to your resources.

To learn about actions that you can take in response to these recommendations, see Remediate recommendations in Defender for Cloud.

Azure API recommendations

Microsoft Defender for APIs should be enabled

Description & related policy: Enable the Defender for APIs plan to discover and protect API resources against attacks and security misconfigurations. Learn more

Severity: High

Azure API Management APIs should be onboarded to Defender for APIs

Description & related policy: Onboarding APIs to Defender for APIs requires compute and memory utilization on the Azure API Management service. Monitor performance of your Azure API Management service while onboarding APIs, and scale out your Azure API Management resources as needed.

Severity: High

API endpoints that are unused should be disabled and removed from the Azure API Management service

Description & related policy: As a security best practice, API endpoints that haven't received traffic for 30 days are considered unused, and should be removed from the Azure API Management service. Keeping unused API endpoints might pose a security risk. These might be APIs that should have been deprecated from the Azure API Management service, but have accidentally been left active. Such APIs typically do not receive the most up-to-date security coverage.

Severity: Low

API endpoints in Azure API Management should be authenticated

Description & related policy: API endpoints published within Azure API Management should enforce authentication to help minimize security risk. Authentication mechanisms are sometimes implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. For APIs published in Azure API Management, this recommendation assesses authentication through verifying the presence of Azure API Management subscription keys for APIs or products where subscription is required, and the execution of policies for validating JWT, client certificates, and Microsoft Entra tokens. If none of these authentication mechanisms are executed during the API call, the API will receive this recommendation.

Severity: High

API management recommendations

API Management subscriptions should not be scoped to all APIs

Description & related policy: API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in excessive data exposure.

Severity: Medium

API Management calls to API backends should not bypass certificate thumbprint or name validation

Description & related policy: API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation to improve the API security.

Severity: Medium

API Management direct management endpoint should not be enabled

Description & related policy: The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.

Severity: Low

API Management APIs should use only encrypted protocols

Description & related policy: APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.

Severity: High

API Management secret named values should be stored in Azure Key Vault

Description & related policy: Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. Reference secret named values from Azure Key Vault to improve security of API Management and secrets. Azure Key Vault supports granular access management and secret rotation policies.

Severity: Medium

API Management should disable public network access to the service configuration endpoints

Description & related policy: To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.

Severity: Medium

API Management minimum API version should be set to 2019-12-01 or higher

Description & related policy: To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher.

Severity: Medium

API Management calls to API backends should be authenticated

Description & related policy: Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.

Severity: Medium