Framework/Configurations/SVT/Services/ServiceBus.json
|
{
"FeatureName": "ServiceBus", "Reference": "aka.ms/azsdkosstcp/svcbus", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_ServiceBus_Deploy_Use_ARM_Model", "Description": "Service Bus namespace must be created through Azure Resource Manager model", "Id": "ServiceBus110", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "It's the default behavior, no action required.", "Tags": [ "SDL", "TCP", "Manual", "Deploy" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_AuthN_Dont_Use_ACS", "Description": "ACS mechanism must not be used to authenticate Service Bus entities", "Id": "ServiceBus120", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "It's the default behavior, no action required.", "Tags": [ "SDL", "TCP", "Manual", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_AuthZ_Dont_Use_Policies_At_SB_Namespace", "Description": "Applications (senders/receivers) must not use access policies defined at Service Bus namespace level", "Id": "ServiceBus130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckServiceBusRootPolicy", "Recommendation": "Remove all the authorization rules from Service Bus namespace except RootManageSharedAccessKey using Remove-AzureRmServiceBusNamespaceAuthorizationRule command. Run 'Get-Help Remove-AzureRmServiceBusNamespaceAuthorizationRule -full' to get the complete details about this command.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_AuthZ_Use_Minimum_Access_Policies", "Description": "Access policies must be defined with minimum required permissions", "Id": "ServiceBus140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckServiceBusAuthorizationRule", "Recommendation": "Access policies must have the minimum required permissions. e.g. An application, wanting to receive messages, must have only listen permission or backend service must have send permission only if it�s task is to send message to Service Bus entity (Topic/Queue). For more details visit: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_DP_Protect_Keys_at_Rest", "Description": "Access policy keys must be protected at rest", "Id": "ServiceBus150", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Access policy keys must be handled in a secure way so that they are not visible in plain text. e.g. Access policy keys can be stored in the application settings in Azure Portal for a Web App, or can be stored in Key Vault etc. This securing secrets mechanism can vary from Azure feature to feature. Refer to the corresponding Azure feature on how to secure secrets.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_DP_Rotate_Keys", "Description": "Access policy keys must be rotated", "Id": "ServiceBus160", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Use New-AzureRmServiceBusQueueKey -ResourceGroup <ResourceGroupName> -NamespaceName <NamespaceName> -QueueName <QueueName> -AuthorizationRuleName <AuthorizationRuleName> -RegenerateKeys PrimaryKey/SecondaryKey to regenerate Queue key. Use New-AzureRmServiceBusTopicKey -ResourceGroup <ResourceGroupName> -NamespaceName <NamespaceName> -TopicName <TopicName> -AuthorizationRuleName <AuthorizationRuleName> -RegenerateKeys PrimaryKey/SecondaryKey to regenerate Topic key. Use New-AzureRmServiceBusNamespaceKey -ResourceGroup <ResourceGroupName> -NamespaceName <NamespaceName> -AuthorizationRuleName <AuthorizationRuleName> -RegenerateKeys PrimaryKey/SecondaryKey to regenerate namespace key. Caution: Existing code will be break if new generated key will not be replaced with older one in code-base.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_Audit_Review_logs", "Description": "Audit logs for Service Bus entities should be reviewed routinely", "Id": "ServiceBus170", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Audit log can be reviewed at Portal -> Service Bus -> <Your Service Bus Name> -> Diagnostics logs.", "Tags": [ "SDL", "Best Practice", "Manual", "Audit" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_DP_Encrypt_in_Transit", "Description": "Sensitive data in transit must be encrypted ", "Id": "ServiceBus190", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "It's the default behavior, no action required.", "Tags": [ "SDL", "Information", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_AuthZ_Use_Min_Token_Lifetime", "Description": "Expiry time of SAS token should be minimum required", "Id": "ServiceBus200", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "SAS tokens are invalidated after expiry time. Expiry time should be set to minimum required in the context of the scenario. For more information visit: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas#generate-a-shared-access-signature-token", "Tags": [ "SDL", "Best Practice", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_BCDR_Paired_Namespace_In_Diff_Center", "Description": "Paired Namespace should be used for disaster recovery", "Id": "ServiceBus210", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "In case of Service Bus outage (e.g. throttling, storage issue, single subsystem failure, Azure data center failure), messages sent by sender application will not be received by Service Bus. To maintain consistent availability of application, Service Bus users should use paired namespace in different data center. Paired namespace will send the messages to secondary queue(s) while primary queue is down. Messages from secondary queue will be transferred to primary queue when primary queue is available. For more info visit: https://azure.microsoft.com/en-in/documentation/articles/service-bus-paired-namespaces/", "Tags": [ "SDL", "Best Practice", "Manual", "BCDR" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_AuthZ_Grant_Min_RBAC_Access", "Description": "All Users/Identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "ServiceBus220", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "Administrator should be assigned 'Owner' role to Service Bus at resource level. Application developer should not have access the resource except minimum required access key. Auditor should have 'Monitor Contributor Service Role' or 'Monitor Reader Service Role' based on business justification.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_ServiceBus_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.", "Id": "ServiceBus230", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Recommendation": "Turn 'on' the Diagnostics logs with retention days $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) or $($this.ControlSettings.Diagnostics_RetentionPeriod_Forever)(forever). For more information visit: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-diagnostic-logs", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics" ], "Enabled": true } ] } |