- Knowledge Base
- Microsoft Azure
- API Management
- Check the TLS Version Configured for API Gateways
Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.
Risk Level: Medium (should be achieved)
Rule ID: APIManagement-007
Ensure that your Azure API Management API gateways are not configured to use weak and deprecated TLS protocols such as TLS 1.0 and TLS 1.1. To follow security best practices and protect your APIs from potential exploits that can target flaws in the older versions of the TLS protocol, ensure that your API gateways are using the the latest supported version of TLS.
This rule resolution is part of the Conformity .
Security
The Transport Layer Security (TLS) protocol addresses network security problems such as tampering and eavesdropping between a client and a server. An Azure API Management service supports multiple versions of the TLS protocol to secure API traffic for both client side and backend side. Using weak and deprecated TLS protocols can increase opportunities for malicious activities such as hacking, Man-in-the-Middle (MITM) and downgrade attacks, therefore it is strongly recommended to use only the latest TLS version.
Audit
To determine the TLS version(s) configured for your Azure API Management API gateways, perform the following actions:
Using Azure Console
01 Sign in to the Azure Management Console.
02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.
04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.
05 Click on the name (link) of the Azure API Management service that you want to examine.
06 In the navigation panel, under Security, select Protocols + ciphers to access the API gateway's protocol and cipher configuration.
07 Select the Protocols tab and check the Status value for the following protocols: SSL 3.0, TLS 1.0, and TLS 1.1, for both client and backend protocols. If one or more of these protocols (i.e. SSL 3.0, TLS 1.0, and TLS 1.1) are enabled, the API gateway associated with the selected Azure API Management service is configured to use weak and deprecated SSL/TLS protocols.
08 Repeat steps no. 5 – 7 for each Azure API Management service available in the selected Azure subscription.
09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run apim list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure API Management service instance available in the current subscription:
az apim list --output table --query '[*].{name:name, resourceGroup:resourceGroup}'
02 The command output should return the requested Azure API Management service names:
Name ResourceGroup---------------------- ------------------------------cc-main-api-service-instance cloud-shell-storage-westeuropecc-project5-service-instance cloud-shell-storage-westeurope
03 Run apim show command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to examine and its associated resource group as the identifier parameters to describe the protocol and cipher configuration for the API gateway associated with the selected service:
az apim show --name cc-main-api-service-instance --resource-group cloud-shell-storage-westeurope --output yaml --query 'customProperties'
04 The command output should return the requested configuration details:
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30: 'true'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10: 'true'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11: 'true'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls13: 'false'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30: 'true'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10: 'true'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11: 'true'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls13: 'false'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2: 'false'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168: 'false'
Check the configuration information returned by the apim show command output and identity the outdated SSL/TLS protocols. The outdated protocols have the following termination: *.Ssl30, *.Tls10, and *.Tls11. If one or more of these protocols are enabled, i.e. their attribute value is set to 'true', as shown in the example above, the API gateway associated with the selected Azure API Management service is configured to use weak and deprecated SSL/TLS protocols.
05 Repeat steps no. 3 and 4 for each Azure API Management service available within the current Azure subscription.
06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.
Remediation / Resolution
To ensure that your Azure API Management API gateways don't use weak and deprecated SSL/TLS protocols, perform the following actions:
Using Azure Console
01 Sign in to the Azure Management Console.
02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.
04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.
05 Click on the name (link) of the Azure API Management service that you want to examine.
06 In the navigation panel, under Security, select Protocols + ciphers to access the API gateway's protocol and cipher configuration.
07 Choose the Protocols tab, select the following deprecated protocols from both Client protocol and Backend protocol lists: SSL 3.0, TLS 1.0, and TLS 1.1, and choose Disable. Choose Save to apply the changes. Configuration changes can take from 15 to 45 minutes to apply.
08 Repeat steps no. 5 – 7 for each Azure API Management service that you want to configure, available in the selected Azure subscription.
09 Repeat steps no. 3 – 8 for each subscription created within your Microsoft Azure cloud account.
Using Azure CLI
01 Run apim update command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to configure and its associated resource group as the identifier parameters to disable deprecated SSL/TLS protocols such as SSL 3.0, TLS 1.0, and TLS 1.1. The following command request example disables TLS 1.0 for client protocols. For backend protocols use Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.[protocol-version] where [protocol-version] is the SSL/TLS version that you want to disable. The changes can take from 15 to 45 minutes to apply:
az apim update --name cc-main-api-service-instance --resource-group cloud-shell-storage-westeurope --set customProperties='{"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": "false"}' --query 'customProperties'
02 The command output should return the new configuration details:
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30: 'true'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10: 'true'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11: 'true'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls13: 'false'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30: 'true'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10: 'false'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11: 'true'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls13: 'false'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2: 'false'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168: 'false'
03 Repeat steps no. 1 and 2 for each Azure API Management service that you want to configure, available within the current subscription.
04 Repeat steps no. 1 - 3 for each subscription created in your Microsoft Azure cloud account.
References
- Azure Official Documentation
- Azure security baseline for API Management
- Manage protocols and ciphers in Azure API Management
- Azure PowerShell Documentation
- az apim list
- az apim show
- az apim update
Publication date Dec 27, 2023
Related APIManagement rules
- Use User-Assigned Managed Identities for Azure API Management Services (Security, operational-excellence)
- Unrestricted API Access (Security)
- Authorize Developer Accounts by Using Microsoft Entra ID (Security, operational-excellence)
- Secure access to APIs using client certificates (Security)
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
No thanks, back to article
You are auditing:
Check the TLS Version Configured for API Gateways
Risk Level: Medium