services / Azure / API policies configuration
The policy configuration (XML pipeline of inbound/backend/outbound rules) applied at the whole API level, controlling authentication, authorization, IP filtering, rate limiting, request/response transformation, and backend routing for all of the API's operations.
APIM policies are the gateway's security and traffic-control enforcement layer for an API; they are processing policies, not Azure IAM/RBAC.
Microsoft.ApiManagement/service/workspaces/apis/Policies/delete
Deleting the API-level policy strips the enforced security controls (auth, IP filtering, rate limiting, validation) protecting every operation of the API and reverts request handling to default, weakening defenses and altering operational behavior.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security