AzTS

1.0.3

module/ConfigurationProvider/ControlConfigurations/Services/IoTHub.json

                                {

  "FeatureName": "IoTHub",

  "Reference": "",

  "IsMaintenanceMode": false,

  "Controls": [

    {

      "ControlID": "Azure_IoTHub_Audit_Enable_Resource_Logs_MCSB",

      "Description": "[MCSB] Resource logs in IoT Hub must be enabled",

      "Id": "IoTHub100",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "ControlScanSource": "MDC",

      "DisplayName": "[MCSB] Resource logs in IoT Hub must be enabled",

      "Category": "Monitoring must be correctly configured",

      "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance",

      "Rationale": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.",

      "Recommendation": "To enable resource logs in IoTHub please refer: https://learn.microsoft.com/en-us/azure/iot-hub/tutorial-use-metrics-and-diags#collect-logs-for-connections-and-device-telemetry",

      "Tags": [

        "Automated",

        "Baseline",

        "Audit",

        "IoTHub"

      ],

      "AssessmentProperties": {

        "AssessmentNames": [

          "77785808-ce86-4e40-b45f-19110a547397"

        ],

        "AssessmentStatusMappings": [

          {

            "AssessmentStatusCode": "NotApplicable",

            "EffectiveVerificationResult": "Failed",

            "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*",

            "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed."

          }

        ]

      },

      "Enabled": false,

      "CustomTags": [

        "Daily",

        "MCSB"

      ]

    },

    {

      "ControlID": "Azure_IoTHubs_Audit_Enable_Diagnostic_Settings",

      "Description": "Enable Security Logging in IoT Hubs",

      "Id": "IoTHub110",

      "ControlSeverity": "Medium",

      "Automated": "Yes",

      "MethodName": "CheckDiagnosticsSettings",

      "DisplayName": "Enable Security Logging in IoT Hubs",

      "Category": "Monitoring must be correctly configured",

      "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance",

      "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.",

      "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs.",

      "Tags": [

        "Automated",

        "Audit",

        "Diagnostics",

        "IoTHub",

        "Baseline"

      ],

      "ControlEvaluationDetails": {

        "RequiredProperties": [

          "DiagnosticSettings"

        ]

      },

      "Enabled": true,

      "ControlSettings": {

        "DiagnosticForeverRetentionValue": "0",

        "DiagnosticMinRetentionPeriod": "90",

        "DiagnosticLogs": [

          "Connections"

        ]

      },

      "CustomTags": [

        "Daily",

        "TenantBaseline",

        "MSD",

        "TBv12",

        "SN:IoTHubs_Logging"

      ]

    },

    {

      "ControlID": "Azure_IoTHub_DP_Use_Secure_TLS_Version",

      "Description": "Use approved version of TLS for Azure IoT Hub in supported regions",

      "Id": "IoTHub120",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "MethodName": "CheckIoTHubMinimumTLSVersion",

      "DisplayName": "Use approved version of TLS for Azure IoT Hub in supported regions",

      "Category": "Encrypt data in transit",

      "ControlRequirements": "Data must be encrypted in transit and at rest",

      "Rationale": "TLS provides confidentiality and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.",

      "Recommendation": "To configure 'Minimum TLS Version' setting for Azure IoT Hub, go to Azure Portal --> Your IoT Hub --> Configuration --> Set the Minimum TLS Version to the latest version --> Click 'Apply'. Refer: https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-tls-support",

      "Tags": [

        "Automated",

        "DP",

        "IoTHub",

        "Baseline"

      ],

      "Enabled": true,

      "ControlSettings": {

        "MinReqTLSVersion": "1.2",

        "SupportedRegions": [ "eastus", "westus2", "southcentralus" ]

      },

      "ControlEvaluationDetails": {

        "RequiredProperties": [

          "Location"

        ]

      },

      "CustomTags": [

        "Daily",

        "SN:IoTHub_TLS",

        "TBv15",

        "TenantBaseline"

      ]

    }

  ]

}