Framework/Configurations/SVT/Services/NotificationHub.json

{
  "featureName": "NotificationHub",
  "reference": "aka.ms/azsktcp/notificationhub",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_NotificationHub_Deploy_Use_ARM_Model",
      "Description": "Notification Hub must be created through Azure Resource Manager model",
      "Id": "NotificationHub110",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "The new ARM/v2 model must be used to create Notification Hub as the ARM model provides stronger access control (RBAC) and auditing features.",
      "Recommendation": "Notification hub must not be created on azure classic portal.You need to clean up any unexpected 'Notification hubs' present on the subscription. (1) Steps to clean up notification hubs through Azure portal - (a) Logon to https://portal.azure.com/ (b) Navigate to the 'Notification Hubs' (c) Navigate to the notification hub that has be removed and click on the 'Delete' icon. (d) Perform this operation for all the notification hubs that has to be removed from the subscription. (2) Steps to clean up notification hub through command - Run the command 'Remove-AzNotificationHub [-ResourceGroup] <String> [-Namespace] <String> [-NotificationHub] <String> [-Confirm] [-Force] [-WhatIf] [<CommonParameters>]'",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "Deploy",
        "NotificationHub"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_NotificationHub_AuthZ_Grant_Min_RBAC_Access",
      "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
      "Id": "NotificationHub130",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRBACAccess",
      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
      "Recommendation": "Remove any excessive privileges granted on the Notification hubs. Run command: Remove-AzRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' RoleDefinitionName '<RoleDefinitionName>'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC",
        "NotificationHub"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_NotificationHub_AuthZ_Dont_Use_Policies_At_NotificationHub_Namespace",
      "Description": "Applications must not use 'namespace' level access policies for the Notification Hub",
      "Id": "NotificationHub140",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "A 'namespace' level access policy provides access to all Notification Hubs in a namespace. However, using an access policy at Notification Hub level provides access only to the specific Notification Hub. Thus using the latter is inline with the principle of least privilege.",
      "Recommendation": "Create access policies for the respective Notification Hub representing the least access required and use them. Refer: https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-security",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthZ",
        "NotificationHub"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_NotificationHub_AuthZ_Use_Min_Permissions_Access_Policies",
      "Description": "Access policies must be defined with minimum required permissions at Notification Hub level",
      "Id": "NotificationHub150",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Granting minimum access ensures that users are granted just enough permissions to perform their tasks. This minimizes the set of operations that can be preformed on the resource by an attacker in case of access policy key compromise.",
      "Recommendation": "Ensure that policy definitions capture least required operations. E.g., if only 'Send' is necessary then 'Listen' should not be in the permission set. Refer for example of creation of policies for user https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-aspnet-backend-windows-dotnet-wns-notification",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthZ",
        "NotificationHub"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_NotificationHub_AuthZ_Dont_Use_Manage_Access_Permission",
      "Description": "Access policies on Notification Hub must not have Manage access permissions",
      "Id": "NotificationHub160",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckAuthorizationRule",
      "Rationale": "Manage security claim has the highest level of access (Create/Update/Read/Delete/Read registrations by tag) on Notification Hub. Using this key for runtime scenarios violates the principle of least privileged access. It is akin to running as 'sa' or 'localsystem'.",
      "Recommendation": "Use 'Send' and 'Listen' manage policies as access permissions for clients and back ends. Refer: https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-security",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "NotificationHub"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_NotificationHub_Deploy_Reg_Mngt_Not_From_Native_Device_App",
      "Description": "Registration management must not be done from a native client or device app",
      "Id": "NotificationHub170",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "It is not possible to adequately authenticate/authorize registration requests if done directly from the native device app.",
      "Recommendation": "Registration management should be done through application backend. Refer: https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-registration-management",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "Deploy",
        "NotificationHub"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_NotificationHub_DP_Msg_Body_Not_Contain_Sensitive_Data",
      "Description": "Message body of a push notification must not contain sensitive data",
      "Id": "NotificationHub180",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Due to risks of exposure along the path between the backend service and the client device, notifications should not include any sensitive data in the body of the push message.",
      "Recommendation": "Use the Secure Push pattern if there is a need to send senstive data. Refer: https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-aspnet-backend-windows-dotnet-wns-secure-push-notification",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP",
        "SecIntell",
        "NotificationHub"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_NotificationHub_AuthZ_Limit_App_Team_Access",
      "Description": "Developers of applications that use Notification Hubs must not be granted persistent access on the subscription",
      "Id": "NotificationHub190",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Telemetry data can be accessed using Azure Service Management portal which will need subscription co-administrator permission. This can impose operational risk. Hence a user must not be granted persistent access on the subscription for such a scenario.",
      "Recommendation": "Remove any persistent access granted to app team members from the Azure portal.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "AuthZ",
        "NotificationHub"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_NotificationHub_Audit_Enable_Logging_And_Monitoring",
      "Description": "Audit logs for Notification Hub should be enabled",
      "Id": "NotificationHub200",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Auditing enables log collection of important system events pertinent to security. Regular monitoring of audit logs can help to detect any suspicious and malicious activity early and respond in a timely manner.",
      "Recommendation": "Default behavior. No action needed.",
      "Tags": [
        "SDL",
        "Information",
        "Manual",
        "Audit",
        "NotificationHub"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_NotificationHub_BCDR_Plan",
      "Description": "Backup and Disaster Recovery must be planned for Notification Hub",
      "Id": "NotificationHub210",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Notification Hub does not offer features to cover backup/disaster recovery out-of-the-box. As a result, Notification Hub , a team must have adequate backups of the data.",
      "Recommendation": "Azure provides metadata disaster recovery coverage (the Notification Hub name, connection string, etc.). From a BC-DR standpoint, app teams must implement a solution to repopulate the Registration Data data into your new hub post-recovery. Refer: https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-faq#what-support-is-provided-for-disaster-recovery",
      "Tags": [
        "SDL",
        "Manual",
        "BCDR",
        "NotificationHub"
      ],
      "Enabled": true
    }
  ]
}