Framework/Configurations/SVT/Services/EventHub.json
|
{
"FeatureName": "EventHub", "Reference": "aka.ms/azsdkosstcp/svcbus", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_EventHub_Deploy_Use_ARM_Model", "Description": "Event Hub namespace must be created through Azure Resource Manager model", "Id": "EventHub110", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "It's the default behavior, No action required.", "Tags": [ "SDL", "TCP", "Manual", "Deploy" ], "Enabled": true }, { "ControlID": "Azure_EventHub_AuthN_Dont_Use_ACS", "Description": "ACS mechanism must not be used to authenticate Event Hub entities", "Id": "EventHub120", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "It's the default behavior, No action required.", "Tags": [ "SDL", "TCP", "Manual", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_EventHub_AuthZ_Dont_Use_Policies_At_SB_Namespace", "Description": "Applications (senders/receivers) must not use access policies defined at Event Hub namespace level", "Id": "EventHub130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckEventHubRootPolicy", "Recommendation": "Remove all the authorization rules from Service Bus namespace except RootManageSharedAccessKey using Remove-AzureRmEventHubNamespaceAuthorizationRule command. Run 'Get-Help Remove-AzureRmEventHubNamespaceAuthorizationRule -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_EventHub_AuthZ_Use_Min_Permissions_Access_Policies", "Description": "Access policies must be defined with minimum required permissions at Event Hub", "Id": "EventHub140", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "CheckEventHubAuthorizationRule", "Recommendation": "Access policies must have the minimum required permissions. e.g. An application, wanting to receive messages, must have only listen permission or backend service must have send permission only if it�s task is to send message to Event Hub. For more information visit: https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-authentication-and-security-model-overview", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_EventHub_DP_Protect_Keys_At_Rest", "Description": "Access policy keys must be protected at rest", "Id": "EventHub150", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Access policy keys must be handled in secure way so that they are not visible in plain text. e.g. Access policy keys can be stored in the application settings on Portal for a Web App, or can be stored in Key Vault etc. This securing secrets mechanism can vary from Azure feature to feature. Refer to the corresponding Azure feature on how to secure secrets.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_EventHub_DP_Rotate_Keys", "Description": "Access policy keys must be rotated", "Id": "EventHub160", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Use New-AzureRmEventHubKey -ResourceGroup <ResourceGroupName> -NamespaceName <NamespaceName> -EventHubName <EventHubName> -AuthorizationRuleName <AuthorizationRuleName> -RegenerateKey PrimaryKey/SecondaryKey to regenerate Event Hub key. Use New-AzureRmEventHubNamespaceKey -ResourceGroup <ResourceGroupName> -NamespaceName <NamespaceName> -AuthorizationRuleName <AuthorizationRuleName> -RegenerateKeys PrimaryKey/SecondaryKey to regenerate namespace key. Caution: Existing code will be break if new generated key will not be replaced with older one in code-base.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_EventHub_Audit_Review_Logs", "Description": "Audit logs for Event Hub entities should be reviewed periodically", "Id": "EventHub170", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Audit log can be reviewed at Portal -> Event Hub -> <Your Event Hub Name> -> Diagnostics logs", "Tags": [ "SDL", "Best Practice", "Manual", "Audit" ], "Enabled": true }, { "ControlID": "Azure_EventHub_DP_Encrypt_In_Transit", "Description": "Sensitive data must be encrypted in transit", "Id": "EventHub190", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "It's the default behavior, No action required.", "Tags": [ "SDL", "Information", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_EventHub_AuthZ_Use_Min_Token_Lifetime", "Description": "Expiry time of SAS token should be minimum required", "Id": "EventHub200", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "SAS tokens are invalidated after the expiry time. Expiry time should be set to minimum required in context of the scenario. For more information visit: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas#generate-a-shared-access-signature-token", "Tags": [ "SDL", "Best Practice", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_EventHub_AuthN_Use_Publisher_Token", "Description": "Use Publisher token to authenticate senders?instead of Access Policy token", "Id": "EventHub210", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Publisher token is generated from access policy with combination of Event Hub and event publisher. Event publisher defines virtual endpoint for Event Hub. Publisher token should be generated from access policy of Event Hub with send permission. For more info visit: https://blogs.msdn.microsoft.com/servicebus/2015/02/02/event-hub-publisher-policy-in-action/", "Tags": [ "SDL", "Best Practice", "Manual", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_EventHub_AuthZ_Grant_Min_RBAC_Access", "Description": "All Users/Identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "EventHub220", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "Administrator should assign 'Owner' role to Event Hub at resource level. Application developer should not have access to the resource except minimum required access key. Auditor should have 'Monitor Contributor Service Role' or 'Monitor Reader Service Role' based on business justification.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_EventHub_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.", "Id": "EventHub230", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Recommendation": "Turn 'on' the Diagnostics logs. Enable ArchiveLogs, OperationalLogs, AutoScaleLogs with retention days $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) or $($this.ControlSettings.Diagnostics_RetentionPeriod_Forever)(forever). For more information visit: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-diagnostic-logs", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics" ], "Enabled": true } ] } |