azure-apim-system-assigned-identity-unconfigured: Azure API Management Service System-Assigned Managed Identity Not Configured

日期: 2025-08-01 | 影响软件: Azure API Management Service System Assigned Managed Identity | POC: 已公开

漏洞描述

Ensure that your Azure API Management service instances are using system-assigned managed identities in order to allow secure access to other Microsoft Azure protected resources such as Azure Key Vaults. Using system-assigned managed identities minimizes risks, simplifies management, and maintains compliance with evolving cloud services.

PoC代码[已公开]

id: azure-apim-system-assigned-identity-unconfigured
info:
  name: Azure API Management Service System-Assigned Managed Identity Not Configured
  author: princechaddha
  severity: medium
  description: |
    Ensure that your Azure API Management service instances are using system-assigned managed identities in order to allow secure access to other Microsoft Azure protected resources such as Azure Key Vaults. Using system-assigned managed identities minimizes risks, simplifies management, and maintains compliance with evolving cloud services.
  impact: |
    If system-assigned managed identities are not enabled for Azure API Management service instances, it may lead to insecure access management and complicates credentials management, increasing the risk of security breaches.
  remediation: |
    Enable system-assigned managed identities for your Azure API Management service instances through the Azure portal or by configuring the ARM template of your instance to include a system-assigned identity.
  reference:
    - https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-use-managed-service-identity
  tags: cloud,devops,azure,microsoft,api-management,azure-cloud-config

flow: |
  code(1);
  for (let ApiService of iterate(template.apiServiceList)) {
    ApiService = JSON.parse(ApiService);
    set("name", ApiService.name);
    set("resourceGroup", ApiService.resourceGroup);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az apim list --output json --query '[*].{name:name, resourceGroup:resourceGroup}'

    extractors:
      - type: json
        name: apiServiceList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az apim show --name "$name" --resource-group "$resourceGroup" --query 'identity.type'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "UserAssigned"
          - "none"

    extractors:
      - type: dsl
        dsl:
          - 'name + " in " + resourceGroup + " does not have a system-assigned managed identity enabled"'
# digest: 4b0a00483046022100f496c2598d8552c0f41009f2add575a7b33bbd99f36cdfe69b39e38992cb69a8022100b61dd7611417eeed2bc46c93477ff56f9c3b0340e93157ee76cd616857bdd699:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/azure/apimanagement/azure-apim-system-assigned-identity-unconfigured.yaml