← Back to Application Programming Interface (API) Security Requirements Guide

V-274643

CAT II (Medium)

Access to API privileged features and functions must be restricted.

Rule ID

SV-274643r1143676_rule

STIG

Application Programming Interface (API) Security Requirements Guide

Version

V1R1

CCIs

CCI-002235

Discussion

Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. One method to meet this requirement is to separate APIs into roles and functions to limit access based on need.

Check Content

Review access controls for API privileged features and functions (administrative operations, configuration management, data modification, and access to sensitive information).

If unauthorized users can access any of these privileged capabilities, this is a finding.

Fix Text

Build or configure the API to Implement and enforce access controls that restrict privileged API features and functions (administrative actions, configuration changes, data modification, and sensitive data access) to authorized users only.