Title

Access to API privileged features and functions must be restricted. (Cat II impact)

Discussion

Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. One method to meet this requirement is to separate APIs into roles and functions to limit access based on need.

Check Content

Review access controls for API privileged features and functions (administrative operations, configuration management, data modification, and access to sensitive information). If unauthorized users can access any of these privileged capabilities, this is a finding.

Fix Text

Build or configure the API to Implement and enforce access controls that restrict privileged API features and functions (administrative actions, configuration changes, data modification, and sensitive data access) to authorized users only.

Additional Identifiers

Rule ID: SV-274643r1143676_rule

Vulnerability ID: V-274643

Group Title: SRG-APP-000340

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.