last sync: 2024-Apr-24 17:46:58 UTC

Authorization rules on the Event Hub instance should be defined

Azure BuiltIn Policy definition

Source Azure Portal
Display name Authorization rules on the Event Hub instance should be defined
Id f4826e5f-6a27-407c-ae3e-9582eb39891d
Version 1.0.0
Details on versioning
Category Event Hub
Microsoft Learn
Description Audit existence of authorization rules on Event Hub entities to grant least-privileged access
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.EventHub/namespaces/eventhubs
THEN-Details (1)
Microsoft.EventHub/namespaces/eventHubs/authorizationRules
Compliance
The following 1 compliance controls are associated with this Policy definition 'Authorization rules on the Event Hub instance should be defined' (f4826e5f-6a27-407c-ae3e-9582eb39891d)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
RMiT_v1.0 10.55 RMiT_v1.0_10.55 RMiT 10.55 Access Control Access Control - 10.55 Shared n/a In observing paragraph 10.54, a financial institution should consider the following principles in its access control policy: (a) adopt a 'deny all' access control policy for users by default unless explicitly authorised; (b) employ 'least privilege' access rights or on a 'need-to-have' basis where only the minimum sufficient permissions are granted to legitimate users to perform their roles; (c) employ time-bound access rights which restrict access to a specific period including access rights granted to service providers; (d) employ segregation of incompatible functions where no single person is responsible for an entire operation that may provide the ability to independently modify, circumvent, and disable system security features. This may include a combination of functions such as: (i) system development and technology operations; (ii) security administration and system administration; and (iii) network operation and network security;" (e) employ dual control functions which require two or more persons to execute an activity; (f) adopt stronger authentication for critical activities including for remote access; (g) limit and control the use of the same user ID for multiple concurrent sessions; (h) limit and control the sharing of user ID and passwords across multiple users; and (i) control the use of generic user ID naming conventions in favour of more personally identifiable IDs. link 8
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC