last sync: 2020-Jul-10 14:05:01 UTC

Azure Policy

All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace

Policy DisplayName All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace
Policy Id b278e460-7cfc-4451-8294-cccc40a940d7
Policy Category Event Hub
Policy Description Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity
Policy Mode All
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Default: Audit
Allowed: (Audit,Deny,Disabled)
Roles used none
Policy Changes no changes
Used in Policy Initiative(s) none
Policy Rule
{
  "properties": {
    "displayName": "All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity",
    "metadata": {
      "version": "1.0.1",
      "category": "Event Hub"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "The effect determines what happens when the policy rule is evaluated to match"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.EventHub/namespaces/authorizationRules"
          },
          {
            "field": "name",
            "notEquals": "RootManageSharedAccessKey"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b278e460-7cfc-4451-8294-cccc40a940d7"
}