Framework/Configurations/SVT/Services/NotificationHub.json
|
{
"featureName": "NotificationHub", "reference": "aka.ms/azsdkosstcp/nothub", "isManintenanceMode": false, "controls": [ { "ControlID": "Azure_NotificationHub_Deploy_Use_ARM_Model", "Description": "Notification Hub must be created through Azure Resource Manager model", "Id": "NotificationHub110", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Notification hub must not be created on azure classic portal.You need to clean up any unexpected 'Notification hubs' present on the subscription. (1) Steps to clean up notification hub from classic portal (a) Logon to https://manage.windowsazure.com/ (b) Navigate to the 'Notification Hub' --> Dashboard (c) Select the notification hub that has be removed and click on the 'Delete' icon on the bottom ribbon (d) Perform this operation for all the notification hubs that has to be removed from the subscription. (2) Steps to clean up notification hub through command - Run the command 'Remove-AzureRmNotificationHub [-ResourceGroup] <String> [-Namespace] <String> [-NotificationHub] <String> [-Confirm] [-Force] [-WhatIf] [<CommonParameters>]'", "Tags": [ "SDL", "TCP", "Manual", "Deploy" ], "Enabled": true }, { "ControlID": "Azure_NotificationHub_Deploy_Do_Not_Use_Free_Tier", "Description": "Free tier must not be used for Notification Hub", "Id": "NotificationHub120", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Use 'Basic' or 'Standard' pricing tier for notification hub deployment.", "Tags": [ "SDL", "TCP", "Manual", "Deploy" ], "Enabled": true }, { "ControlID": "Azure_NotificationHub_AuthZ_Grant_Min_RBAC_Access", "Description": "All Users/Identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "NotificationHub130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "Clean up any unauthorized access on the Notification hubs. Run command Remove-AzureRmRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' -RoleDefinitionName <RoleDefinitionName>''. Run 'Get-Help Remove-AzureRmRoleAssignment -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_NotificationHub_AuthZ_Dont_Use_Policies_At_NotificationHub_Namespace", "Description": "Applications must not use access policies defined at Notification Hub namespace level", "Id": "NotificationHub140", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "A namespace is a collection of hubs. Each notification hub must have it's own access policies. Help link - https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-overview", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_NotificationHub_AuthZ_Use_Min_Permissions_Access_Policies", "Description": "Access policies must be defined with minimum required permissions at Notification Hub", "Id": "NotificationHub150", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "create policies for each user group with minimum required permissions. Refer link for example of creation of policies for user https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-aspnet-backend-windows-dotnet-wns-notification", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_NotificationHub_AuthZ_Dont_Use_Manage_Access_Permission", "Description": "Access policies on Notification Hub must not have Manage access permissions", "Id": "NotificationHub160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAuthorizationRule", "Recommendation": "Use 'Send' and 'Listen' manage policies as access permissions. Help link - https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-security", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_NotificationHub_Deploy_Reg_Mngt_Not_From_Native_Device_App", "Description": "Registration management must not be done from a native/device app", "Id": "NotificationHub170", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Registration management should be done through application backend. Help link - https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-registration-management", "Tags": [ "SDL", "TCP", "Manual", "Deploy" ], "Enabled": true }, { "ControlID": "Azure_NotificationHub_DP_Msg_Body_Not_Contain_Sensitive_Data", "Description": "Message body of a push notification must not contain sensitive data", "Id": "NotificationHub180", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "To send sensitive data, it is recommended to use a Secure Push pattern. Help Link - https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-aspnet-backend-windows-dotnet-wns-secure-push-notification", "Tags": [ "SDL", "TCP", "Manual", "DP", "SecIntell" ], "Enabled": true }, { "ControlID": "Azure_NotificationHub_AuthZ_Limit_App_Team_Access", "Description": "Notification Hub application team must not be granted persistent access on the subscription through Azure Service Management portal", "Id": "NotificationHub190", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Remove any persistent access present on subscription through Service Management Portal.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_NotificationHub_Audit_Enable_Logging_And_Monitoring", "Description": "Audit logs for Notification Hub are enabled by default", "Id": "NotificationHub200", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Audit logs for Notification Hub are enabled by default.", "Tags": [ "SDL", "Information", "Manual", "Audit" ], "Enabled": true }, { "ControlID": "Azure_NotificationHub_BCDR_Plan", "Description": "Backup and Disaster Recovery must be planned for Notification Hub", "Id": "NotificationHub210", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Azure provides metadata disaster recovery coverage on our end (the Notification Hubs name, the connection string, and other critical information). When a disaster recovery scenario is triggered, registration data is the only segment of the Notification Hubs infrastructure that is lost. You will need to implement a solution to repopulate this data into your new hub post-recovery: . Help link - https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-faq --> What support is provided for disaster recovery?", "Tags": [ "SDL", "Information", "Manual", "BCDR" ], "Enabled": true } ] } |