Framework/Configurations/SVT/Services/BotService.json
| { "FeatureName": "BotService", "Reference": "aka.ms/azsktcp/botservice", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_BotService_Enable_Required_Channels_Only", "Description": "Only specific/required channels must be configured to allow traffic to bot service.", "Id": "BotService110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBotConfiguredChannels", "Rationale": "Each channel enabled for the Bot exposes the bot to activity on that channel. If a channel that is not actually required is enabled for the bot, it introduces unnecessary avenues for attack.", "Recommendation": "Verify the configured channels and to add more supported channels refer: https://docs.microsoft.com/en-us/azure/bot-service/bot-service-manage-channels?view=azure-bot-service-3.0", "Tags": [ "SDL", "TCP", "BotService" ], "Enabled": true }, { "ControlID": "Azure_BotService_DP_Encrypt_At_Rest", "Description": "Ensure to use own storage adapter instead of Bot Framework State Service API.", "Id": "BotService120", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements.", "Recommendation": "Default behavior. No action required.", "Tags": [ "SDL", "Information", "Manual", "BotService" ], "Enabled": true }, { "ControlID": "Azure_BotService_DP_Protect_Secrets", "Description": "Secrets in Bot Service must be handled properly.", "Id": "BotService130", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Keeping secrets such as passwords, keys, etc. in clear text can lead to easy compromise at various avenues during an application's lifecycle.", "Recommendation": "It is recommended to handle the secrets properly.", "Tags": [ "SDL", "TCP", "Manual", "BotService" ], "Enabled": "true" }, { "ControlID": "Azure_BotService_Audit_Enable_Monitoring", "Description": "Make sure important activities and events during Bot interactions are logged.", "Id": "BotService140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAIConfigured", "Rationale": "Analytics can be useful to detect unusual usage behavior patterns.", "Recommendation": "Follow https://docs.microsoft.com/en-us/azure/bot-service/bot-service-manage-analytics?view=azure-bot-service-3.0 for configuring Application Insight with Bot Service.", "Tags": [ "SDL", "TCP", "BotService" ], "Enabled": "true" }, { "ControlID": "Azure_BotService_DP_Dont_Allow_HTTP_Access", "Description": "Bot Service API must only be accessible over HTTPS", "Id": "BotService150", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", "Recommendation": "Make Web App linked to Bot Service to use Https using command 'Set-AzResource -ResourceName '<WebAppName>' -ResourceGroupName '<RGName>' -ResourceType 'Microsoft.Web/sites' -Properties @{httpsOnly='true'} -Force '. Run 'Get-Help Set-AzResource -full' for more help.", "Tags": [ "SDL", "TCP", "Manual", "BotService" ], "Enabled": true } ] } |