-
Notifications
You must be signed in to change notification settings - Fork 12
/
eventgrid.sp
195 lines (177 loc) · 7.8 KB
/
eventgrid.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
locals {
regulatory_compliance_eventgrid_common_tags = {
service = "Azure/EventGrid"
}
}
control "eventgrid_domain_private_link_used" {
title = "Azure Event Grid domains should use private link"
description = "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks."
query = query.eventgrid_domain_private_link_used
tags = merge(local.regulatory_compliance_eventgrid_common_tags, {
nist_sp_800_171_rev_2 = "true"
nist_sp_800_53_rev_5 = "true"
})
}
control "eventgrid_topic_private_link_used" {
title = "Azure Event Grid topics should use private link"
description = "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks."
query = query.eventgrid_topic_private_link_used
tags = merge(local.regulatory_compliance_eventgrid_common_tags, {
nist_sp_800_171_rev_2 = "true"
nist_sp_800_53_rev_5 = "true"
})
}
control "eventgrid_domain_restrict_public_access" {
title = "Event Grid domains should restrict public network access"
description = "Ensure that Event Grid Domain public network access is disabled. This control is non-compliant if Event Grid domains have public network access enabled."
query = query.eventgrid_domain_restrict_public_access
tags = local.regulatory_compliance_eventgrid_common_tags
}
control "eventgrid_domain_identity_provider_enabled" {
title = "Event Grid domains identity provider should be enabled"
description = "Ensure that managed identity provider is enabled for Event Grid Domain. This control is non-compliant if Event Grid domain identity provider is disabled."
query = query.eventgrid_domain_identity_provider_enabled
tags = local.regulatory_compliance_eventgrid_common_tags
}
control "eventgrid_topic_local_auth_enabled" {
title = "Event Grid topics should have local authentication enabled"
description = "This control checks if Event Grid topics have local authentication enabled."
query = query.eventgrid_topic_local_auth_enabled
tags = local.regulatory_compliance_eventgrid_common_tags
}
control "eventgrid_topic_identity_provider_enabled" {
title = "Event Grid topics identity provider should be enabled"
description = "Ensure that managed identity provider is enabled for the Event Grid Topic. This control is non-compliant if Event Grid topic identity provider is disabled."
query = query.eventgrid_topic_identity_provider_enabled
tags = local.regulatory_compliance_eventgrid_common_tags
}
query "eventgrid_domain_private_link_used" {
sql = <<-EOQ
select
a.id as resource,
case
when public_network_access = 'Enabled' then 'alarm'
when private_endpoint_connections is null then 'info'
when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb then 'ok'
else 'alarm'
end as status,
case
when public_network_access = 'Enabled' then a.name || ' using public networks.'
when private_endpoint_connections is null then a.name || ' no private link exists.'
when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb
then a.name || ' using private link.'
else a.name || ' not using private link.'
end as reason
${local.tag_dimensions_sql}
${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "a.")}
${replace(local.common_dimensions_qualifier_subscription_sql, "__QUALIFIER__", "sub.")}
from
azure_eventgrid_domain a,
azure_subscription sub;
EOQ
}
query "eventgrid_topic_private_link_used" {
sql = <<-EOQ
select
a.id as resource,
case
when public_network_access = 'Enabled' then 'alarm'
when private_endpoint_connections is null then 'info'
when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb then 'ok'
else 'alarm'
end as status,
case
when public_network_access = 'Enabled' then a.name || ' using public networks.'
when private_endpoint_connections is null then a.name || ' no private link exists.'
when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb
then a.name || ' using private link.'
else a.name || ' not using private link.'
end as reason
${local.tag_dimensions_sql}
${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "a.")}
${replace(local.common_dimensions_qualifier_subscription_sql, "__QUALIFIER__", "sub.")}
from
azure_eventgrid_topic a,
azure_subscription sub;
EOQ
}
query "eventgrid_domain_restrict_public_access" {
sql = <<-EOQ
select
a.id as resource,
case
when public_network_access = 'Enabled' then 'alarm'
else 'ok'
end as status,
case
when public_network_access = 'Enabled' then a.name || ' publicly accessible.'
else a.name || ' not publicly accessible.'
end as reason
${local.tag_dimensions_sql}
${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "a.")}
${replace(local.common_dimensions_qualifier_subscription_sql, "__QUALIFIER__", "sub.")}
from
azure_eventgrid_domain a,
azure_subscription sub;
EOQ
}
query "eventgrid_domain_identity_provider_enabled" {
sql = <<-EOQ
select
a.id as resource,
case
when identity_type = 'None' then 'alarm'
else 'ok'
end as status,
case
when identity_type = 'None' then a.name || ' identity provider disabled.'
else a.name || ' identity provider enabled.'
end as reason
${local.tag_dimensions_sql}
${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "a.")}
${replace(local.common_dimensions_qualifier_subscription_sql, "__QUALIFIER__", "sub.")}
from
azure_eventgrid_domain a,
azure_subscription sub;
EOQ
}
query "eventgrid_topic_local_auth_enabled" {
sql = <<-EOQ
select
a.id as resource,
case
when disable_local_auth then 'alarm'
else 'ok'
end as status,
case
when disable_local_auth then a.name || ' local authentication disabled.'
else a.name || ' local authentication enabled.'
end as reason
${local.tag_dimensions_sql}
${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "a.")}
${replace(local.common_dimensions_qualifier_subscription_sql, "__QUALIFIER__", "sub.")}
from
azure_eventgrid_domain a,
azure_subscription sub;
EOQ
}
query "eventgrid_topic_identity_provider_enabled" {
sql = <<-EOQ
select
a.id as resource,
case
when identity ->> 'type' = 'None' then 'alarm'
else 'ok'
end as status,
case
when identity ->> 'type' = 'None' then a.name || ' identity provider disabled.'
else a.name || ' identity provider enabled.'
end as reason
${local.tag_dimensions_sql}
${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "a.")}
${replace(local.common_dimensions_qualifier_subscription_sql, "__QUALIFIER__", "sub.")}
from
azure_eventgrid_topic a,
azure_subscription sub;
EOQ
}