module/ConfigurationProvider/ControlConfigurations/Services/NotificationHub.json
|
{
"FeatureName": "NotificationHub", "reference": "aka.ms/azsktcp/notificationhub", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_NotificationHub_AuthZ_Dont_Use_Manage_Access_Permission", "Description": "Access policies on Notification Hub must not have Manage access permissions", "Id": "NotificationHub160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAuthorizationRule", "DisplayName": "Access policies on Notification Hub must not have Manage access permissions", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Manage security claim has the highest level of access (Create/Update/Read/Delete/Read registrations by tag) on Notification Hub. Using this key for runtime scenarios violates the principle of least privileged access. It is akin to running as 'sa' or 'localsystem'.", "Recommendation": "Use 'Send' and 'Listen' manage policies as access permissions for clients and back ends. Refer: https://docs.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-security", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "NotificationHub", "Baseline", "Weekly" ], "Enabled": true, "PolicyDefinitionGuid": "NotificationHub160", "CustomTags": [] } ] } |