Framework/Configurations/SVT/Services/ServiceBus.json
|
{
"FeatureName": "ServiceBus", "Reference": "aka.ms/azsdkosstcp/svcbus", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_ServiceBus_Deploy_Use_ARM_Model", "Description": "Service Bus namespace must be created through Azure Resource Manager model", "Id": "ServiceBus110", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "It's the default behavior, no action required.", "Tags": [ "SDL", "TCP", "Manual", "Deploy" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_AuthN_Dont_Use_ACS", "Description": "ACS mechanism must not be used to authenticate Service Bus entities", "Id": "ServiceBus120", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "If you have a Serice Bus Topic or Queue which was created using ASM, migrate to the ARM model to use SAS token based authentication.", "Tags": [ "SDL", "TCP", "Manual", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_AuthZ_Dont_Use_Policies_At_SB_Namespace", "Description": "Service bus clients (senders/receivers) must not use 'namespace' level access policies", "Id": "ServiceBus130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckServiceBusRootPolicy", "Recommendation": "Remove all the authorization rules from Service Bus namespace except RootManageSharedAccessKey using Remove-AzureRmServiceBusNamespaceAuthorizationRule command. Run 'Get-Help Remove-AzureRmServiceBusNamespaceAuthorizationRule -full' for more help. Use the Azure portal to configure shared access policies with appropriate claims at the specific entity (Topic/Queue) scope.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_AuthZ_Use_Minimum_Access_Policies", "Description": "Access policies must be defined with minimum required permissions", "Id": "ServiceBus140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckServiceBusAuthorizationRule", "Recommendation": "Access policies must have the minimum required permissions. For instance, if the client app is only reading a Topic or a Queue (as opposed to sending), then the policy used must only include the 'Listen' claim. Refer: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas", "Tags": [ "SDL", "TCP", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_DP_Protect_Keys_at_Rest", "Description": "Access policy keys must be protected at rest", "Id": "ServiceBus150", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Access policy keys must be handled in a secure manner. E.g., Access policy keys can be stored in the application settings on the Azure portal for a Web App, or can be stored in a Key Vault. The approach to protect the key may vary based on the Azure feature and scenario from where Event Hubs are consumed.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_DP_Rotate_Keys", "Description": "Access policy keys must be rotated periodically", "Id": "ServiceBus160", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Use New-AzureRmServiceBusQueueKey -ResourceGroup <ResourceGroupName> -NamespaceName <NamespaceName> -QueueName <QueueName> -AuthorizationRuleName <AuthorizationRuleName> -RegenerateKeys PrimaryKey/SecondaryKey to regenerate Queue key. Use New-AzureRmServiceBusTopicKey -ResourceGroup <ResourceGroupName> -NamespaceName <NamespaceName> -TopicName <TopicName> -AuthorizationRuleName <AuthorizationRuleName> -RegenerateKeys PrimaryKey/SecondaryKey to regenerate Topic key. Use New-AzureRmServiceBusNamespaceKey -ResourceGroup <ResourceGroupName> -NamespaceName <NamespaceName> -AuthorizationRuleName <AuthorizationRuleName> -RegenerateKeys PrimaryKey/SecondaryKey to regenerate namespace key. Caution: Make sure that the newly generated keys are seamlessly deployed to clients to avoid disruption of functionality.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_Audit_Review_logs", "Description": "Audit logs for Service Bus entities should be reviewed routinely", "Id": "ServiceBus170", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Audit log can be reviewed at Portal -> Service Bus -> <Your Service Bus Name> -> Diagnostics logs.", "Tags": [ "SDL", "Best Practice", "Manual", "Audit" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_DP_Encrypt_in_Transit", "Description": "Sensitive data must be encrypted in transit ", "Id": "ServiceBus190", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Default behavior. No action required.", "Tags": [ "SDL", "Information", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_AuthZ_Use_Min_Token_Lifetime", "Description": "Expiry time of SAS token should be minimum required", "Id": "ServiceBus200", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Set expiry time of SAS tokens to the minimum required in context of the scenario. Refer: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas#generate-a-shared-access-signature-token", "Tags": [ "SDL", "Best Practice", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_BCDR_Paired_Namespace_In_Diff_Center", "Description": "Paired Namespace should be used for disaster recovery", "Id": "ServiceBus210", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "In case of Service Bus outage (e.g. throttling, storage issue, single subsystem failure, Azure data center failure), messages sent by sender application will not be received by Service Bus. To maintain consistent availability of application, Service Bus users should use a paired namespace in a different data center. Paired namespace will send the messages to secondary queue(s) while primary queue is down. (Messages from secondary queue will be transferred to primary queue when primary queue becomes available again). Refer: https://azure.microsoft.com/en-in/documentation/articles/service-bus-paired-namespaces/", "Tags": [ "SDL", "Best Practice", "Manual", "BCDR" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "ServiceBus220", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "Administrator should assign 'Owner' role to Service Bus at the 'resource' scope. Application developers should not have direct access to the Service Bus resource (they should just be provided the required shared access policy for a non-production Topic/Queue entity). Auditors should have 'Monitor Contributor Service Role' or 'Monitor Reader Service Role' based on their role.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.", "Id": "ServiceBus230", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Recommendation": "Turn 'on' the Diagnostics logs with retention days $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) or $($this.ControlSettings.Diagnostics_RetentionPeriod_Forever) (= forever). For more information visit: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-diagnostic-logs", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics" ], "Enabled": true } ] } |