Framework/Configurations/SVT/Services/APIConnection.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
{
  "FeatureName": "APIConnection",
  "Reference": "aka.ms/azsktcp/logicapps",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_APIConnection_AuthN_Connectors_Use_AAD",
      "Description": "Logic App connectors must use AAD-based authentication wherever possible",
      "Id": "APIConnection110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckConnectorsAADAuth",
      "Rationale": "Using the native enterprise directory for authentication ensures that there is a built-in high level of assurance in the user identity established for subsequent access control. All Enterprise subscriptions are automatically associated with their enterprise directory (xxx.onmicrosoft.com) and users in the native directory are trusted for authentication to enterprise subscriptions.",
      "Recommendation": "For HTTP based connectors, refer: https://docs.microsoft.com/en-us/azure/connectors/connectors-native-http#azure-active-directory-oauth-authentication. For other connectors you must manually verify that AAD authentication is used for connectors that support it.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthN"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_APIConnection_DP_Encrypt_Data_In_Transit",
      "Description": "Data transit across connectors must use encrypted channel",
      "Id": "APIConnection120",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckConnectorsEncryptionInTransit",
      "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.",
      "Recommendation": "Use HTTPS URI in HTTP-based connectors. For connectors which are HTTP-based, use HTTPS URLs. For other connectors you must manually verify that encrypted connections are used by the connector protocol.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP"
      ],
      "Enabled": true
    }
  ]
}