Framework/Configurations/SVT/Services/ServiceBus.json

{
  "FeatureName": "ServiceBus",
  "Reference": "aka.ms/azsktcp/servicebus",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_ServiceBus_AuthZ_Dont_Use_Policies_At_SB_Namespace",
      "Description": "Service bus clients (senders/receivers) must not use 'namespace' level access policies",
      "Id": "ServiceBus130",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckServiceBusRootPolicy",
      "Rationale": "A 'namespace' level access policy provides access to all Queues/Topics in a namespace. However, using an access policy at entity (Queue/Topic) level provides access only to the specific entity. Thus using the latter is inline with the principle of least privilege.",
      "Recommendation": "Remove all the authorization rules from Service Bus namespace except RootManageSharedAccessKey using Remove-AzServiceBusAuthorizationRule command. Run 'Get-Help Remove-AzServiceBusAuthorizationRule -full' for more help. Use the Azure portal to configure shared access policies with appropriate claims at the specific entity (Topic/Queue) scope.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "ServiceBus"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "Id",
        "Rights"
      ]
    },
    {
      "ControlID": "Azure_ServiceBus_AuthZ_Use_Minimum_Access_Policies",
      "Description": "Access policies must be defined with minimum required permissions",
      "Id": "ServiceBus140",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckServiceBusAuthorizationRule",
      "Rationale": "Granting minimum access ensures that users are granted just enough permissions to perform their tasks. This minimizes operation preformed on the resource in case of access policy key compromise.",
      "Recommendation": "Access policies must have the minimum required permissions. For instance, if the client app is only reading a Topic or a Queue (as opposed to sending), then the policy used must only include the 'Listen' claim. Refer: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas",
      "Tags": [
         "SDL",
         "TCP",
         "AuthZ",
         "Automated",
         "ServiceBus"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "Id",
        "Rights"
      ]
    },
    {
      "ControlID": "Azure_ServiceBus_DP_Protect_Keys_at_Rest",
      "Description": "Access policy keys must be protected at rest",
      "Id": "ServiceBus150",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements.",
      "Recommendation": "Access policy keys must be handled in a secure manner. E.g., Access policy keys can be stored in the application settings on the Azure portal for a Web App, or can be stored in a Key Vault. The approach to protect the key may vary based on the Azure feature and scenario from where Event Hubs are consumed.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP",
        "ServiceBus"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_ServiceBus_DP_Rotate_Keys",
      "Description": "Access policy keys must be rotated periodically",
      "Id": "ServiceBus160",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks.",
      "Recommendation": "Use New-AzServiceBusKey -ResourceGroupName <ResourceGroupName> -Namespace <NamespaceName> -Queue <QueueName> -RegenerateKey PrimaryKey/SecondaryKey to regenerate Queue key. Use New-AzServiceBusKey -ResourceGroupName <ResourceGroupName> -Namespace <NamespaceName> -Topic <TopicName> -RegenerateKey PrimaryKey/SecondaryKey to regenerate Topic key. Use New-AzServiceBusKey -ResourceGroupName <ResourceGroupName> -Namespace <NamespaceName> -RegenerateKey PrimaryKey/SecondaryKey to regenerate namespace key. Caution: Make sure that the newly generated keys are seamlessly deployed to clients to avoid disruption of functionality.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP",
        "ServiceBus"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_ServiceBus_Audit_Review_logs",
      "Description": "Audit logs for Service Bus entities should be reviewed routinely",
      "Id": "ServiceBus170",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Auditing enables log collection of important system events pertinent to security. Regular monitoring of audit logs can help to detect any suspicious and malicious activity early and respond in a timely manner.",
      "Recommendation": "Audit log can be reviewed at Portal -> Service Bus -> <Your Service Bus Name> -> Diagnostics logs. Reference: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-diagnostic-logs",
      "Tags": [
        "SDL",
        "Best Practice",
        "Manual",
        "Audit",
        "ServiceBus"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_ServiceBus_DP_Encrypt_in_Transit",
      "Description": "Sensitive data must be encrypted in transit ",
      "Id": "ServiceBus190",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks.",
      "Recommendation": "Default behavior. No action required.",
      "Tags": [
        "SDL",
        "Information",
        "Manual",
        "DP",
        "ServiceBus"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_ServiceBus_AuthZ_Use_Min_Token_Lifetime",
      "Description": "Expiry time of SAS token should be minimum required",
      "Id": "ServiceBus200",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "If SAS token gets compromised, unauthorized users can access Service Bus entities. Minimizing the validity period of the SAS token ensures that the window of time available to an attacker in the event of compromise is minimized.",
      "Recommendation": "Set expiry time of SAS tokens to the minimum required in context of the scenario. Refer: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas#generate-a-shared-access-signature-token",
      "Tags": [
        "SDL",
        "Best Practice",
        "Manual",
        "AuthZ",
        "ServiceBus"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_ServiceBus_BCDR_Paired_Namespace_In_Diff_Center",
      "Description": "Paired Namespace should be used for disaster recovery",
      "Id": "ServiceBus210",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Paired namespace helpful to maintain consistent availability of ServiceBus in case of ServiceBus outage (e.g. throttling, storage issue, subsystem failure) in primary region.",
      "Recommendation": "In case of Service Bus outage (e.g. throttling, storage issue, single subsystem failure, Azure data center failure), messages sent by sender application will not be received by Service Bus. To maintain consistent availability of application, Service Bus users should use a paired namespace in a different data center. Paired namespace will send the messages to secondary queue(s) while primary queue is down. (Messages from secondary queue will be transferred to primary queue when primary queue becomes available again). Refer: https://azure.microsoft.com/en-in/documentation/articles/service-bus-paired-namespaces/",
      "Tags": [
        "SDL",
        "Best Practice",
        "Manual",
        "BCDR",
        "ServiceBus"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_ServiceBus_AuthZ_Grant_Min_RBAC_Access",
      "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
      "Id": "ServiceBus220",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRBACAccess",
      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
      "Recommendation": "Administrator should assign 'Owner' role to Service Bus at the 'resource' scope. Application developers should not have direct access to the Service Bus resource (they should just be provided the required shared access policy for a non-production Topic/Queue entity). Auditors should have 'Monitor Contributor Service Role' or 'Monitor Reader Service Role' based on their role.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC",
        "ServiceBus"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_ServiceBus_Audit_Enable_Diagnostics_Log",
      "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.",
      "Id": "ServiceBus230",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckDiagnosticsSettings",
      "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.",
      "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-archive-diagnostic-logs#archive-diagnostic-logs-using-the-portal",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "Audit",
        "Diagnostics",
        "ServiceBus"
      ],
      "PolicyDefinitionGuid":"f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
      "Enabled": true
    }
  ]
}