IMPORTANT: DevOps Kit (AzSK) is being sunset by end of FY21. More details here
| Description & Rationale | ControlSeverity | Automated | Fix Script |
|---|---|---|---|
| Event Hub clients (event senders or receivers) must not use 'namespace' level access policies A 'namespace' level access policy provides access to all Queues/Topics in a namespace. However, using an access policy at entity (Queue/Topic) level provides access only to the specific entity. Thus using the latter is inline with the principle of least privilege. | Medium | Yes | No |
| Access policies must be defined with minimum required permissions to the Event Hub Granting minimum access ensures that users are granted just enough permissions to perform their tasks. This minimizes the set of operations that can be preformed on the resource by an attacker in case of access policy key compromise. | Medium | Yes | No |
| Access policy keys must be protected at rest Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements. | High | No | No |
| Access policy keys must be rotated periodically Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks. | Medium | No | No |
| Audit logs for Event Hub entities should be reviewed periodically Periodic reviews of diagnostics, activity and audit logs ensures that anomalous activity can be identified early enough instead of after a major compromise. | Medium | No | No |
| Sensitive data must be encrypted in transit Use of HTTPS ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks. | High | No | No |
| Expiry time of SAS token should be minimum required If SAS token gets compromised, unauthorized users can access Event Hub entities. Minimizing the validity period of the SAS token ensures that the window of time available to an attacker in the event of compromise is minimized. | Medium | No | No |
| Use 'Publisher' tokens to authenticate senders instead of 'Access Policy' tokens Publisher tokens offer a scalable option when there are a large number of senders involved. Individual time-bound SAS tokens can be created via inheritance from a shared policy so the damage from compromise of any single token is contained. Also, all publisher tokens generated by same policy can be decommisioned by simply decommisioning the corresponding access policy. | Medium | No | No |
| All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC) Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise. | Medium | Yes | No |
| Diagnostics logs must be enabled with a retention period of at least 365 days Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well. | Medium | Yes | No |