search

Azure / PSRule.Rules.Azure

Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.
https://azure.github.io/PSRule.Rules.Azure/
MIT License
389 stars 84 forks source link

Disable weak ciphers for API Management services #1128

Closed BernieWhite closed 2 years ago

BernieWhite commented 2 years ago

Rule request

Suggested rule change

API Management services should disable weak ciphers. Including:

Applies to the following

The rule applies to the following:

Sample data

A passing sample:

{
            "comments": "Create or update a API Management service.",
            "type": "Microsoft.ApiManagement/service",
            "apiVersion": "2021-08-01",
            "name": "[parameters('serviceName')]",
            "location": "[parameters('location')]",
            "identity": {
                "type": "SystemAssigned,UserAssigned",
                "userAssignedIdentities": {
                    "[parameters('identityId')]": {}
                }
            },
            "sku": {
                "name": "Developer",
                "capacity": 1
            },
            "properties": {
                "publisherEmail": "[parameters('publisherEmail')]",
                "publisherName": "[parameters('publisherName')]",
                "notificationSenderEmail": "apimgmt-noreply@mail.windowsazure.com",
                "hostnameConfigurations": "[variables('hostnames')]",
                "customProperties": {
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2": "[string(parameters('useHTTP2'))]",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": "false",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": "false",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256": "false",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256": "false",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256": "false",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA": "false",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA": "false"
                },
                "virtualNetworkType": "None",
                "disableGateway": false,
                "apiVersionConstraint": {
                    "minApiVersion": "2019-12-01"
                },
                "publicNetworkAccess": "Enabled",
                "platformVersion": "stv2"
            },
            "tags": "[parameters('tags')]"
        }

A failing sample:

{
            "comments": "Create or update a API Management service.",
            "type": "Microsoft.ApiManagement/service",
            "apiVersion": "2021-08-01",
            "name": "[parameters('serviceName')]",
            "location": "[parameters('location')]",
            "identity": {
                "type": "SystemAssigned,UserAssigned",
                "userAssignedIdentities": {
                    "[parameters('identityId')]": {}
                }
            },
            "sku": {
                "name": "Developer",
                "capacity": 1
            },
            "properties": {
                "publisherEmail": "[parameters('publisherEmail')]",
                "publisherName": "[parameters('publisherName')]",
                "notificationSenderEmail": "apimgmt-noreply@mail.windowsazure.com",
                "hostnameConfigurations": "[variables('hostnames')]",
                "customProperties": {
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2": "[string(parameters('useHTTP2'))]",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": "true",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": "true",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256": "true",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256": "true",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256": "true",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA": "true",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA": "true"
                },
                "virtualNetworkType": "None",
                "disableGateway": false,
                "apiVersionConstraint": {
                    "minApiVersion": "2019-12-01"
                },
                "publicNetworkAccess": "Enabled",
                "platformVersion": "stv2"
            },
            "tags": "[parameters('tags')]"
        }
pamelafox commented 1 year ago

@BernieWhite Is it possible to add an example of valid ARM/Bicep to this doc? https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.APIM.Ciphers/

It took me a while to find this issue and then more time to figure out how to use the properties in Bicep (didn't realize quotes were required). I used this Bicep example: https://raw.githubusercontent.com/Azure/azure-quickstart-templates/91fbf3bd52d22765016b6a61bd6d5bb02beb8ed1/quickstarts/microsoft.apimanagement/api-management-create-with-internal-vnet-publicip/main.bicep

BernieWhite commented 1 year ago

@pamelafox Great suggestion, and good call out. We know the docs for API Management rules need some updates. We definitely want to include an example in ARM/ Bicep so I've cross referenced this in issue #867 which deals with the docs updates so we can track this feedback.