reviewed | severity | pillar | category | resource | online version |
---|---|---|---|---|---|
2024-01-17 |
Important |
Security |
SE:05 Identity and access management |
Event Grid |
Authenticate publishing clients with Azure AD identities.
To publish events to Event Grid access keys, SAS tokens, or Azure AD identities can be used. With Azure AD authentication, the identity is validated against the Microsoft Identity Platform. Using Azure AD identities centralizes identity management and auditing.
Once you decide to use Azure AD authentication, you can disable authentication using keys or SAS tokens.
Consider only using Azure AD identities to publish events to Event Grid. Then disable authentication based on access keys or SAS tokens.
To deploy Event Grid Topics that pass this rule:
- Set the
properties.disableLocalAuth
property totrue
.
For example:
{
"type": "Microsoft.EventGrid/topics",
"apiVersion": "2022-06-15",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"disableLocalAuth": true,
"publicNetworkAccess": "Disabled",
"inputSchema": "CloudEventSchemaV1_0"
}
}
To deploy Event Grid Topics that pass this rule:
- Set the
properties.disableLocalAuth
property totrue
.
For example:
resource eventGrid 'Microsoft.EventGrid/topics@2022-06-15' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
disableLocalAuth: true
publicNetworkAccess: 'Disabled'
inputSchema: 'CloudEventSchemaV1_0'
}
}
To address this issue at runtime use the following policies: