🪖Cloud Security Baseline for Azure API Management

Cloud Security Baseline for Azure Logic Apps

1. Identity and Access Management

   1. Ensure to use Azure RBAC to manage access to APIM resources, following the principle of least privilege.

   2. Ensure assign roles such as API Management Contributor for managing APIs and Reader for monitoring access.

   3. Ensure to use Microsoft Entra ID(AAD) to secure access to the API Management instance, developer portal, and management APIs.

   4. Ensure to Enforce Multi-Factor Authentication (MFA) for all administrative accounts.

   5. Ensure to Enable System-assigned Managed Identity to securely access other Azure services like Azure Key Vault without using secrets.

2. Network Security

   1. Ensure to deploy APIM with VNet Integration or use Private Endpoints to limit exposure to private networks.

   2. Ensure to disable public access unless explicitly required.

   3. Ensure to Disable HTTP and require HTTPS-only connections for all API traffic.

   4. Ensure to Configure IP Restrictions to allow access only from trusted IP addresses or specific VNets.

3. Data Protection

   1. Ensure to use encryption at rest using Customer-managed keys (CMK) and store the encryption keys to Azure Managed HSM.

   2. Ensure to use TLS 1.2 or higher for all data in transit.

   3. Ensure to Enable log masking to prevent sensitive information from being captured in request and response logs.

4. API Security Controls

   1. Ensure to use OAuth 2.0, OpenID Connect, or JWT validation for API authentication.

   2. Ensure to Implement rate limiting policies to protect against Denial of Service (DoS) attacks.

   3. Ensure to Use quota policies to control API usage.

   4. Ensure to Apply validate-jwt and validate-headers policies to ensure requests conform to expected formats.

5. Logging and Monitoring

   1. Ensure to Enable Diagnostic Logs for tracking API requests, errors, and backend responses.

   2. Ensure to store the logs to Azure Sentinel for centralized logging and analysis.

   3. Monitor API performance using Azure Monitor and Application Insights.

   4. Configure Azure Alerts for critical metrics (e.g., high error rates, unauthorized access attempts).