services / Azure / API policies configuration

The policy configuration (XML pipeline of inbound/backend/outbound rules) applied at the whole API level, controlling authentication, authorization, IP filtering, rate limiting, request/response transformation, and backend routing for all of the API's operations.

APIM policies are the gateway's security and traffic-control enforcement layer for an API; they are processing policies, not Azure IAM/RBAC.


Microsoft.​ApiManagement/​service/​workspaces/​apis/​Policies/​delete

Deleting the API-level policy strips the enforced security controls (auth, IP filtering, rate limiting, validation) protecting every operation of the API and reverts request handling to default, weakening defenses and altering operational behavior.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ApiManagement
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog