module/ConfigurationProvider/ControlConfigurations/Services/ServiceBus.json
|
{
"FeatureName": "ServiceBus", "Reference": "aka.ms/azsktcp/servicebus", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_ServiceBus_AuthZ_Dont_Use_Policies_At_SB_Namespace", "Description": "All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace", "Id": "ServiceBus130", "ControlSeverity": "High", "DisplayName": "All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Automated": "Yes", "MethodName": "CheckServiceBusRootPolicy", "AssessmentName": "", "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee", "Rationale": "Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity.", "Recommendation": "Remove all the authorization rules from Service Bus namespace except RootManageSharedAccessKey using Remove-AzServiceBusAuthorizationRule command. Run 'Get-Help Remove-AzServiceBusAuthorizationRule -full' for more help. Use the Azure portal to configure shared access policies with appropriate claims at the specific entity (Topic/Queue) scope.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "ServiceBus", "Baseline", "Weekly" ], "Enabled": true, "ControlEvaluationDetails": { "RequiredProperties": [ "ServiceBusNamespaceAuthorizationRules" ] }, "ControlSettings": { "RootManageSharedAccessKeyName": "RootManageSharedAccessKey" } }, { "ControlID": "Azure_ServiceBus_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for Azure Service Bus.", "Id": "ServiceBus240", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckServiceBusMinimumTLSVersion", "DisplayName": "Use approved version of TLS for Azure Service Bus.", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides confidentiality and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "To Configure 'Minimum TLS Version' setting for Azure Service Bus, go to Azure Portal --> Your Service Bus --> Configuration --> Set the Minimum TLS Version to latest version --> Click 'Apply'. Refer: https://learn.microsoft.com/en-us/azure/service-bus-messaging/transport-layer-security-configure-minimum-version and https://learn.microsoft.com/en-us/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version?WT.mc_id=Portal-Microsoft_Azure_ServiceBus", "Tags": [ "TCP", "Automated", "DP", "ServiceBus", "Baseline" ], "Enabled": true, "ControlSettings": { "MinReqTLSVersion": "1.2" }, "CustomTags": [ "Daily", "SN:SERVICEBUS_TLS", "Preview", "TenantBaseline", "MSD", "CAIPreview", "EDPreview", "SMTPreview", "TBv9", "CAIWave1" ] }, { "ControlID": "Azure_ServiceBus_Audit_Enable_Resource_Logs_MCSB", "Description": "[MCSB] Resource logs in Service Bus should be enabled", "Id": "ServiceBus250", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Resource logs in Service Bus should be enabled", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/service-bus-messaging/monitor-service-bus#monitoring-data-from-azure-service-bus", "Tags": [ "Audit", "Automated", "Baseline", "ServiceBus" ], "AssessmentProperties": { "AssessmentNames": [ "f19ab7d9-5ff2-f8fd-ab3b-0bf95dcb6889" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_ServiceBus_AuthN_Disable_Local_Auth", "Description": "Disable Local Authentication for the ServiceBus", "Id": "ServiceBus260", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckServiceBusLocalAuthentication", "DisplayName": "Disable Local Authentication for the ServiceBus", "Category": "Authentication must be enabled on all user accounts and services.", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Disabling local authentication methods improves security by ensuring that Azure Service Bus namespaces exclusively require Azure Active Directory identities for authentication.", "Recommendation": "To disable local authentication for Service Bus, refer: https://learn.microsoft.com/en-us/azure/service-bus-messaging/disable-local-authentication", "Tags": [ "AuthN", "Baseline", "ServiceBus", "Automated" ], "Enabled": true, "CustomTags": [ "Daily", "SN:ServiceBus_AAD" ] }, { "ControlID": "Azure_ServiceBus_Audit_Enable_Diagnostic_Settings", "Description": "Enable Security Logging in Azure Service Bus", "Id": "ServiceBus270", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings.", "Enabled": true, "DisplayName": "Enable Security Logging in Azure Service Bus", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Tags": [ "Audit", "Baseline", "ServiceBus", "Automated", "Diagnostics" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "90", "DiagnosticLogs": [ "OperationalLogs", "VNetAndIPFilteringLogs", "RuntimeAuditLogs" ] }, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv12", "SN:ServiceBus_Logging" ] } ] } |