Ensure that your Azure API Management API gateways are not configured to use weak or deprecated TLS ciphers for client and backend communication. The following TLS ciphers are considered weak or deprecated:
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_3DES_EDE_CBC_SHA (TRIPLE DES)
Weak or deprecated ciphers are vulnerable to security attacks and can expose sensitive data to unauthorized personnel. Ensuring that Azure API Management API gateways are not configured to use vulnerable TLS ciphers is crucial for maintaining a secure and compliant API infrastructure.
Audit
To determine the TLS ciphers configured for your Azure API Management API gateways, perform the following actions:
Getting the TLS ciphers configured for Azure API Management API gateways via Azure Command Line Interface (Azure CLI) is not currently supported.Remediation / Resolution
To ensure that your Azure API Management API gateways don't use weak or deprecated TLS ciphers, perform the following actions:
IMPORTANT: Disabling TLS ciphers may break client or backend connectivity.References
- Azure Official Documentation
- Authorize developer accounts by using Microsoft Entra ID in Azure API Management
- Tutorial: Access and customize the developer portal
- Azure CLI Documentation
- az apim update
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Check the Cipher Suites Configured for API Gateways
Risk Level: Medium