Skip to content

Audit Service Bus data plane access#

Security · Service Bus · Rule · 2023_03 · Important

Ensure namespaces audit diagnostic logs are enabled.

Description#

To capture logs that record data plane access operations (such as send or receive messages) in the service bus, diagnostic settings must be configured.

When configuring diagnostic settings, enabled one of the following:

  • RuntimeAuditLogs category.
  • audit category group.
  • allLogs category group.

Management operations for Service Bus is captured automatically within Azure Activity Logs.

Recommendation#

Consider configuring diagnostic settings to record interactions with data of the Service Bus.

Examples#

Configure with Azure template#

To deploy Service Bus namespaces that pass this rule:

  • Deploy a diagnostic settings sub-resource (extension resource).
  • Enable RuntimeAuditLogs category or audit category group or allLogs category group.

For example:

Azure Template snippet
{
  "type": "Microsoft.ServiceBus/namespaces",
  "apiVersion": "2022-10-01-preview",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "sku": {
    "name": "Premium"
  },
  "properties": {
    "disableLocalAuth": true,
    "minimumTlsVersion": "1.2"
  }
},
{
  "type": "Microsoft.Insights/diagnosticSettings",
  "apiVersion": "2021-05-01-preview",
  "scope": "[format('Microsoft.ServiceBus/namespaces/{0}', parameters('name'))]",
  "name": "[parameters('diagName')]",
  "properties": {
    "workspaceId": "[parameters('workspaceId')]",
    "logs": [
      {
        "category": "RuntimeAuditLogs",
        "enabled": true,
        "retentionPolicy": {
          "days": 0,
          "enabled": false
        }
      }
    ]
  },
  "dependsOn": [
    "[resourceId('Microsoft.ServiceBus/namespaces', parameters('name'))]"
  ]
}

Configure with Bicep#

To deploy Service Bus namespaces that pass this rule:

  • Deploy a diagnostic settings sub-resource (extension resource).
  • Enable RuntimeAuditLogs category or audit category group or allLogs category group.

For example:

Azure Bicep snippet
resource ns 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  sku: {
    name: 'Premium'
  }
  properties: {
    disableLocalAuth: true
    minimumTlsVersion: '1.2'
  }
}

resource nsDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  name: diagName
  properties: {
    workspaceId: workspaceId
    logs: [
      {
        category: 'RuntimeAuditLogs'
        enabled: true
        retentionPolicy: {
          days: 0
          enabled: false
        }
      }
    ]
  }
  scope: ns
}

Notes#

This rule only applies to premium tier Service Bus instances. Runtime audit logs are currently available only in the Premium tier.

Comments