Requiring every API key to have restrictions for both the applications and the specific set of APIs minimizes the attack surface and ensures that each key is used only in the intended context. By limiting an API key's use to specific IP addresses, devices, or applications (e.g., mobile apps, web apps), the risk of unauthorized access is greatly reduced, even if a key is compromised. It prevents malicious actors from using stolen keys on untrusted platforms or for unapproved purposes, such as accessing sensitive data or performing actions outside the scope of the original API access.
Restricting an API key to only the necessary APIs or endpoints reduces the potential damage if a key is leaked. It ensures each API key has minimal privileges (principle of least privilege), limiting what it can do or access. This granular control helps enforce better access management and facilitates audit trails by defining clear boundaries for how keys should behave.
Check
Review the API key configurations. If any API keys lack defined usage restrictions (IP address filtering, endpoint access limitations, and environment scoping) this is a finding.
Fix
Update the API key configurations to include appropriate usage restrictions (limiting access by IP address, allowed endpoints, request methods, and environment scope) in accordance with organizational defined standards.