module/ConfigurationProvider/ControlConfigurations/Services/EventHub.json
|
{
"FeatureName": "EventHub", "Reference": "aka.ms/azsktcp/eventhub", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_EventHub_AuthZ_Dont_Use_Policies_At_Event_Hub_Namespace", "Description": "Event Hub clients (event senders or receivers) must not use 'namespace' level access policies", "Id": "EventHub130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckEventHubRootPolicy", "Rationale": "A 'namespace' level access policy provides access to all Event Hubs in a namespace. However, using an access policy at an entity (Event Hub) level provides access only to the specific entity. Thus, using the latter is in line with the principle of least privilege.", "Recommendation": "Remove all the authorization rules from Event Hub namespace except RootManageSharedAccessKey using Remove-AzEventHubAuthorizationRule command. Run 'Get-Help Remove-AzEventHubAuthorizationRule -full' for more help. Use the Azure portal to configure shared access policies with appropriate claims at the specific Event Hub scope.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "EventHub", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "Event Hub clients (event senders or receivers) must not use 'namespace' level access policies", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "ControlEvaluationDetails": { "RequiredProperties": [ "EventHubsNamespace" ] }, "CustomTags": [], "ControlSettings": { "SharedAccessPoliciesToExclude": [ "RootManageSharedAccessKey" ] } }, { "ControlID": "Azure_EventHub_AuthZ_Use_Min_Permissions_Access_Policies", "Description": "Access policies must be defined with minimum required permissions to the Event Hub", "Id": "EventHub140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckEventHubAuthorizationRule", "Rationale": "Granting minimum access ensures that users are granted just enough permissions to perform their tasks. This minimizes the set of operations that can be performed on the resource by an attacker in case of access policy key compromise.", "Recommendation": "Ensure that client apps use shared access policies with the least required privilege and at the Event Hub scope. For instance, if the client app is only reading events from the event hub (as opposed to sending), then the policy used must only include the 'Listen' claim. Refer: https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-authentication-and-security-model-overview", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "EventHub", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "Access policies must be defined with minimum required permissions to the Event Hub", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "ControlEvaluationDetails": { "RequiredProperties": [ "EventHubsInstances" ] }, "CustomTags": [] }, { "ControlID": "Azure_EventHub_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for Event Hub Namespace", "Id": "EventHub150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckEventHubNamespaceTLSVersion", "DisplayName": "Use approved version of TLS for Event Hub Namespace", "Rationale": "TLS provides privacy and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "Go to Azure Portal --> your Event Hub Namespace --> Configuration --> Security --> Set Minimum TLS version to '1.2'", "Tags": [ "SDL", "TCP", "Automated", "DP", "EventHub", "Baseline" ], "Enabled": true, "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "ControlSettings": { "MinReqTLSVersion": "1.2" }, "CustomTags": [ "TBv8", "TenantBaseline", "Preview", "Daily", "MSD", "CAIPreview", "EDPreview", "SMTPreview", "SN:EventHub_MinTLS", "CAIWave1" ] }, { "ControlID": "Azure_EventHub_Audit_Enable_Resource_Logs_MCSB", "Description": "[MCSB] Resource logs in Event Hub should be enabled", "Id": "EventHub160", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Resource logs in Event Hub should be enabled", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "ControlScanSource": "MDC", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub", "Tags": [ "Automated", "Audit", "EventHub", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "2149c1597605a-0faf-5860-eb74-462ae2e9fc21" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_EventHub_Enable_Diagnostic_Settings", "Description": "Diagnostic logs must be enabled for Event Hub", "Id": "EventHub100", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "DisplayName": "Diagnostic logs must be enabled for Event Hub", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Diagnostic logs must be enabled as they provide details for investigation in case of a security breach for threats.", "Recommendation": "To Configure 'Diagnostic settings' for Event Hub, go to Azure Portal --> Your Event Hub --> Diagnostic settings --> Enable Operational Logs, Kafka User Error Logs, VNet/IP Filtering Connection Logs, Customer Managed Key Logs and Runtime Audit Logs with a minimum retention period of 90 days.", "Tags": [ "Automated", "Audit", "Diagnostics", "EventHub", "Baseline" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "Enabled": true, "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "90", "DiagnosticLogs": [ "OperationalLogs", "KafkaUserErrorLogs", "EventHubVNetConnectionEvent", "CustomerManagedKeyUserLogs", "RuntimeAuditLogs" ] }, "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_EventHub_AuthN_Disable_Local_Auth", "Description": "Disable local authentication for Event Hub Namespaces", "Id": "EventHub180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckEventHubNamespaceLocalAuth", "DisplayName": "Disable local authentication for Event Hub Namespaces", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Disabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Microsoft Entra credentials for authentication and authorization. As SAS keys can be more easily compromised which can lead to unauthorized access of data.", "Recommendation": "To disable local authentication for Event Hub, go to Azure Portal --> Your Event Hub --> Local Authentication --> Click 'Disabled'.", "Tags": [ "AuthN", "EventHub", "Baseline" ], "ControlEvaluationDetails": { "RequiredProperties": [ "EventHubsLocalAuth" ] }, "Enabled": true, "CustomTags": [ "Weekly", "SN:EventHub_Disable_Local_Auth" ] } ] } |