Merge pull request #914 from Azure/srpadala-apim-0920

Added 7 Graph queries to APIM checklist
Azure · Oct 23, 2024 · 3b294b2 · 3b294b2
2 parents 1aa13a7 + 3d3690d
commit 3b294b2
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/checklists/apim_checklist.en.json b/checklists/apim_checklist.en.json
@@ -139,6 +139,7 @@
             "waf": "Reliability",
             "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
             "severity": "Medium",
+            "graph": "resources | where type == 'microsoft.apimanagement/service' | extend compliant = ( sku.name == 'Premium' and  isnotnull(properties.additionalLocations)) | distinct id, compliant",
             "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region"
         },
         {
@@ -149,6 +150,7 @@
             "waf": "Reliability",
             "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
             "severity": "Medium",
+            "graph": "resources | where type == 'microsoft.apimanagement/service' | extend compliant = ( sku.name == 'Premium' and  isnotnull(zones) and sku.capacity >= 2 ) | distinct id, compliant",
             "link": "https://learn.microsoft.com/azure/api-management/high-availability"
         },
         {
@@ -209,6 +211,7 @@
             "text": "Configure autoscaling to scale out the number of instances when the load increases",
             "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
             "severity": "Medium",
+            "graph": "resources | where type == 'microsoft.apimanagement/service' | join kind = leftouter (resources | where type == 'microsoft.insights/autoscalesettings' | extend targetResourceUri = tostring(properties.targetResourceUri)) on $left.id == $right.targetResourceUri | extend compliant = (sku.name == 'Premium' and isnotempty(targetResourceUri) and properties1.enabled == true) | distinct id, compliant",            
             "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale"
         },
         {
@@ -290,6 +293,7 @@
             "text": "Deploy the service within a Virtual Network (VNet)",
             "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
             "severity": "Medium",
+            "graph": "resources | where type == 'microsoft.apimanagement/service' | extend compliant = (isnotnull(properties.virtualNetworkConfiguration)) | distinct id, compliant",
             "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration"
         },
         {
@@ -310,6 +314,7 @@
             "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.",
             "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
             "severity": "Medium",
+            "graph": "resources | where type == 'microsoft.apimanagement/service' | extend compliant = (properties.virtualNetworkType == 'None' and isnotnull(properties.privateEndpointConnections)) | distinct id, compliant",
             "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link"
         },
         {
@@ -320,6 +325,7 @@
             "text": "Disable Public Network Access",
             "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
             "severity": "High",
+            "graph": "resources | where type == 'microsoft.apimanagement/service' | extend compliant = (properties.virtualNetworkType == 'Internal') | distinct id, compliant",
             "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access"
         },
         {
@@ -430,6 +436,7 @@
             "text": "Use managed identities to authenticate to other Azure resources whenever possible",
             "guid": "791abd8b-7706-4e31-9569-afefde724be3",
             "severity": "Medium",
+            "graph": "resources | where type == 'microsoft.apimanagement/service' | extend compliant = (isnotnull(identity)) | distinct id, compliant",
             "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities"
         },
         {