Access to API privileged features and functions must be restricted.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-274643 | SRG-APP-000340-API-000675 | SV-274643r1143676_rule | CCI-002235 | medium |
| Description | ||||
| Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. One method to meet this requirement is to separate APIs into roles and functions to limit access based on need. | ||||
| STIG | Date | |||
| Application Programming Interface (API) Security Requirements Guide | 2025-09-24 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-6(10)
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.7
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-002235
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-274643r1143676_chk)
Review access controls for API privileged features and functions (administrative operations, configuration management, data modification, and access to sensitive information).
If unauthorized users can access any of these privileged capabilities, this is a finding.
Fix Text (F-78649r1143468_fix)
Build or configure the API to Implement and enforce access controls that restrict privileged API features and functions (administrative actions, configuration changes, data modification, and sensitive data access) to authorized users only.