services / Azure / API Management service

An Azure API Management (APIM) service instance is a managed API gateway that fronts, secures, and routes traffic to a business function's backend APIs, holding gateway policies, named-value secrets, certificates, custom domains, and developer/subscription identities.

The gateway sits on the public-facing path of an organizational function's APIs and can hold credential material (named values, certificates, subscription keys) and a managed identity; treat it as a single-function production service of HIGH sensitivity.


Microsoft.​ApiManagement/​service/​backup/​action

Backing up to an attacker-provided storage account exports the full service state including named-value secrets, certificates, and subscription keys (crypto) alongside policies and configuration data (data).

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ApiManagement
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog