last sync: 2024-Dec-05 18:53:22 UTC

All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace

Azure BuiltIn Policy definition

Source Azure Portal
Display name All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace
Id a1817ec0-a368-432a-8057-8371e17ac6ee
Version 1.0.1
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.1
Built-in Versioning [Preview]
Category Service Bus
Microsoft Learn
Description Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.ServiceBus/namespaces/authorizationRules
Compliance
The following 3 compliance controls are associated with this Policy definition 'All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace' (a1817ec0-a368-432a-8057-8371e17ac6ee)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
New_Zealand_ISM 18.4.8.C.01 New_Zealand_ISM_18.4.8.C.01 New_Zealand_ISM_18.4.8.C.01 18. Network security 18.4.8.C.01 IDS/IPSs on gateways n/a Agencies SHOULD deploy IDS/IPSs in all gateways between the agency’s networks and unsecure public networks or BYOD wireless networks. 5
NZ_ISM_v3.5 GS-2 NZ_ISM_v3.5_GS-2 NZISM Security Benchmark GS-2 Gateway security 19.1.11 Using Gateways Customer n/a Physically locating all gateway components inside a secure server room will reduce the risk of unauthorised access to the device(s). The system owner of the higher security domain of connected security domains would be most familiar with the controls required to protect the more sensitive information and as such is best placed to manage any shared components of gateways. In some cases where multiple security domains from different agencies are connected to a gateway, it may be more appropriate to have a qualified third party manage the gateway on behalf of all connected agencies. Gateway components may also reside in a virtual environment ??? refer to Section 22.2 ??? Virtualisation and Section 22.3 ??? Virtual Local Area Networks link 10
NZISM_Security_Benchmark_v1.1 GS-2 NZISM_Security_Benchmark_v1.1_GS-2 NZISM Security Benchmark GS-2 Gateway security 19.1.11 Using Gateways Customer Agencies MUST ensure that: all agency networks are protected from networks in other security domains by one or more gateways; all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and all gateway components, discrete and virtual, are physically located within an appropriately secured server room. Physically locating all gateway components inside a secure server room will reduce the risk of unauthorised access to the device(s). The system owner of the higher security domain of connected security domains would be most familiar with the controls required to protect the more sensitive information and as such is best placed to manage any shared components of gateways. In some cases where multiple security domains from different agencies are connected to a gateway, it may be more appropriate to have a qualified third party manage the gateway on behalf of all connected agencies. Gateway components may also reside in a virtual environment – refer to Section 22.2 – Virtualisation and Section 22.3 – Virtual Local Area Networks link 8
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance Deprecated BuiltIn
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn
[Preview]: Motion Picture Association of America (MPAA) 92646f03-e39d-47a9-9e24-58d60ef49af8 Regulatory Compliance Preview BuiltIn
Enforce recommended guardrails for Service Bus Enforce-Guardrails-ServiceBus Service Bus GA ALZ
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC