Title

API keys must be configured with usage restrictions. (Cat II impact)

Discussion

Requiring every API key to have restrictions for both the applications and the specific set of APIs minimizes the attack surface and ensures that each key is used only in the intended context. By limiting an API key's use to specific IP addresses, devices, or applications (e.g., mobile apps, web apps), the risk of unauthorized access is greatly reduced, even if a key is compromised. It prevents malicious actors from using stolen keys on untrusted platforms or for unapproved purposes, such as accessing sensitive data or performing actions outside the scope of the original API access. Restricting an API key to only the necessary APIs or endpoints reduces the potential damage if a key is leaked. It ensures each API key has minimal privileges (principle of least privilege), limiting what it can do or access. This granular control helps enforce better access management and facilitates audit trails by defining clear boundaries for how keys should behave.

Check Content

Review the API key configurations. If any API keys lack defined usage restrictions (IP address filtering, endpoint access limitations, and environment scoping) this is a finding.

Fix Text

Update the API key configurations to include appropriate usage restrictions (limiting access by IP address, allowed endpoints, request methods, and environment scope) in accordance with organizational defined standards.

Additional Identifiers

Rule ID: SV-274556r1143589_rule

Vulnerability ID: V-274556

Group Title: SRG-APP-000141

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.