Terraform Developer Portal Anonymous Access
Description
Detects when Azure API Management Developer Portal is configured to allow anonymous access, either by having no authentication methods defined or by explicitly disabling authentication. This creates a security risk by potentially exposing API documentation and testing features to unauthorized users.
Detection Strategy
• Check for 'azurerm_api_management' resources in Terraform configurations
• Flag resources that have no 'sign_in' block configured, indicating no authentication methods are defined
• For resources with 'sign_in' blocks, check if authentication is explicitly disabled via 'enabled = false'
• Report a vulnerability if either condition is met - missing authentication or disabled authentication
Vulnerable code example
# Azure API Management with Developer SKU - not suitable for production
resource "azurerm_api_management" "vulnerable" {
name = "example-apim"
location = "westus2"
resource_group_name = "example-resources"
publisher_name = "Example Corp"
publisher_email = "contact@example.com"
...✅ Secure code example
resource "azurerm_api_management" "safe" {
name = "example-apim"
location = "westus2"
resource_group_name = "example-resources"
publisher_name = "Example Corp"
publisher_email = "contact@example.com"
sku_name = "Premium_1" # Use Premium SKU for production-grade security features...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.