module/ConfigurationProvider/ControlConfigurations/Services/EventHub.json
|
{
"FeatureName": "EventHub", "Reference": "aka.ms/azsktcp/eventhub", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_EventHub_AuthZ_Dont_Use_Policies_At_Event_Hub_Namespace", "Description": "Event Hub clients (event senders or receivers) must not use 'namespace' level access policies", "Id": "EventHub130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckEventHubRootPolicy", "Rationale": "A 'namespace' level access policy provides access to all Event Hubs in a namespace. However, using an access policy at an entity (Event Hub) level provides access only to the specific entity. Thus, using the latter is in line with the principle of least privilege.", "Recommendation": "Remove all the authorization rules from Event Hub namespace except RootManageSharedAccessKey using Remove-AzEventHubAuthorizationRule command. Run 'Get-Help Remove-AzEventHubAuthorizationRule -full' for more help. Use the Azure portal to configure shared access policies with appropriate claims at the specific Event Hub scope.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "EventHub", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "Event Hub clients (event senders or receivers) must not use 'namespace' level access policies", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "ControlEvaluationDetails": { "RequiredProperties": [ "EventHubsNamespace" ] }, "CustomTags": [], "ControlSettings": { "SharedAccessPoliciesToExclude": [ "RootManageSharedAccessKey" ] } }, { "ControlID": "Azure_EventHub_AuthZ_Use_Min_Permissions_Access_Policies", "Description": "Access policies must be defined with minimum required permissions to the Event Hub", "Id": "EventHub140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckEventHubAuthorizationRule", "Rationale": "Granting minimum access ensures that users are granted just enough permissions to perform their tasks. This minimizes the set of operations that can be performed on the resource by an attacker in case of access policy key compromise.", "Recommendation": "Ensure that client apps use shared access policies with the least required privilege and at the Event Hub scope. For instance, if the client app is only reading events from the event hub (as opposed to sending), then the policy used must only include the 'Listen' claim. Refer: https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-authentication-and-security-model-overview", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "EventHub", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "Access policies must be defined with minimum required permissions to the Event Hub", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "ControlEvaluationDetails": { "RequiredProperties": [ "EventHubsInstances" ] }, "CustomTags": [] }, { "ControlID": "Azure_EventHub_DP_Use_Secure_TLS_Version_Trial", "Description": "[Trial] Use approved version of TLS for Event Hub Namespace", "Id": "EventHub150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckEventHubNamespaceTLSVersion", "DisplayName": "[Trial] Use approved version of TLS for Event Hub Namespace", "Rationale": "TLS provides privacy and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "Go to Azure Portal --> your Event Hub Namespace --> Configuration --> Security --> Set Minimum TLS version to '1.2'", "Tags": [ "SDL", "TCP", "Automated", "DP", "EventHub", "Baseline", "Daily", "Trial" ], "Enabled": true, "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "ControlSettings": { "MinReqTLSVersion": "1.2" }, "CustomTags": [ "SN:EventHub_MinTLS" ] } ] } |