Framework/Configurations/SVT/Services/NotificationHub.json

{
  "featureName": "NotificationHub",
  "reference": "aka.ms/azsdkosstcp/nothub",
  "isManintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_NotificationHub_Deploy_Use_ARM_Model",
      "Description": "Notification Hub must be created through Azure Resource Manager model",
      "Id": "NotificationHub110",
                         "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Recommendation": "Notification hub must not be created on azure classic portal.You need to clean up any unexpected 'Notification hubs' present on the subscription. (1) Steps to clean up notification hub from classic portal (a) Logon to https://manage.windowsazure.com/ (b) Navigate to the 'Notification Hub' --> Dashboard (c) Select the notification hub that has be removed and click on the 'Delete' icon on the bottom ribbon (d) Perform this operation for all the notification hubs that has to be removed from the subscription. (2) Steps to clean up notification hub through command - Run the command 'Remove-AzureRmNotificationHub [-ResourceGroup] <String> [-Namespace] <String> [-NotificationHub] <String> [-Confirm] [-Force] [-WhatIf] [<CommonParameters>]'",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "Deploy"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_NotificationHub_AuthZ_Grant_Min_RBAC_Access",
      "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
      "Id": "NotificationHub130",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRBACAccess",
      "Recommendation": "Remove any excessive privileges granted on the Notification hubs. Run command: Remove-AzureRmRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' RoleDefinitionName '<RoleDefinitionName>'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_NotificationHub_AuthZ_Dont_Use_Policies_At_NotificationHub_Namespace",
      "Description": "Applications must not use 'namespace' level access policies for the Notification Hub",
      "Id": "NotificationHub140",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Recommendation": "Create access policies for the respective Notification Hub representing the least access required and use them. Refer: https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-overview",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_NotificationHub_AuthZ_Use_Min_Permissions_Access_Policies",
      "Description": "Access policies must be defined with minimum required permissions at Notification Hub level",
      "Id": "NotificationHub150",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Recommendation": "Ensure that policy definitions capture least required operations. E.g., if only 'Send' is necessary then 'Listen' should not be in the permission set. Refer for example of creation of policies for user https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-aspnet-backend-windows-dotnet-wns-notification",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_NotificationHub_AuthZ_Dont_Use_Manage_Access_Permission",
      "Description": "Access policies on Notification Hub must not have Manage access permissions",
      "Id": "NotificationHub160",
                         "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckAuthorizationRule",
      "Recommendation": "Use 'Send' and 'Listen' manage policies as access permissions for clients and back ends. Refer: https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-security",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_NotificationHub_Deploy_Reg_Mngt_Not_From_Native_Device_App",
      "Description": "Registration management must not be done from a native client or device app",
      "Id": "NotificationHub170",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Recommendation": "Registration management should be done through application backend. Refer: https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-registration-management",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "Deploy"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_NotificationHub_DP_Msg_Body_Not_Contain_Sensitive_Data",
      "Description": "Message body of a push notification must not contain sensitive data",
      "Id": "NotificationHub180",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Recommendation": "Use the Secure Push pattern if there is a need to send senstive data. Refer: https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-aspnet-backend-windows-dotnet-wns-secure-push-notification",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP",
        "SecIntell"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_NotificationHub_AuthZ_Limit_App_Team_Access",
      "Description": "Developers of applications that use Notification Hubs must not be granted persistent access on the subscription",
      "Id": "NotificationHub190",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Recommendation": "Remove any persistent access granted to app team members from the Azure portal.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_NotificationHub_Audit_Enable_Logging_And_Monitoring",
      "Description": "Audit logs for Notification Hub should be enabled",
      "Id": "NotificationHub200",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Recommendation": "Default behavior. No action needed.",
      "Tags": [
        "SDL",
        "Information",
        "Manual",
        "Audit"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_NotificationHub_BCDR_Plan",
      "Description": "Backup and Disaster Recovery must be planned for Notification Hub",
      "Id": "NotificationHub210",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Recommendation": "Azure provides metadata disaster recovery coverage (the Notification Hub name, connection string, etc.). From a BC-DR standpoint, app teams must implement a solution to repopulate the Registration Data data into your new hub post-recovery. Refer: https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-faq#what-support-is-provided-for-disaster-recovery",
      "Tags": [
        "SDL",
        "Information",
        "Manual",
        "BCDR"
      ],
      "Enabled": true
    }
  ]
}