services / Azure / API operation policies configuration
The policy configuration (XML pipeline of inbound/backend/outbound rules) applied at a single API operation, controlling authentication, authorization, IP filtering, rate limiting, request/response transformation, and backend routing.
APIM policies are the gateway's security and traffic-control enforcement layer for an endpoint; they are processing policies, not Azure IAM/RBAC.
Microsoft.ApiManagement/service/workspaces/apis/Operations/Policies/write
Setting the operation policy lets an attacker disable auth/JWT-validation/IP-filter/rate-limit defenses, rewrite request/response handling and backend routing, and inject log-to/send-request directives that mirror request and response data through the gateway to an attacker-controlled sink.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security