Microsoft AzureOverview
Service Bus should not be directly reachable from public networks when private connectivity can be used.
Remediation guidance
Azure Remediation
Service-Wide (Recommended)
Use Azure Policy to require private endpoint connectivity and deny public network access for Service Bus.
Azure Portal (Asset-Level)
- Open Service Bus namespace.
- Go to Networking.
- Disable public network access.
- Configure Private Endpoint and approved networks.
Azure CLI (Asset-Level)
az servicebus namespace update --name <namespace-name> --resource-group <resource-group> --public-network-access Disabled
References
- https://learn.microsoft.com/en-us/azure/service-bus-messaging/network-security
Query logic
These are the stored checks tied to this control.
Service Bus namespaces with public network enabled
Connectors
Microsoft Azure
Covered asset types
SBNamespace
Expected check: eq []
{ sbNamespaces(where: { publicNetworkAccess_NOT: "Disabled" }) { ...AssetFragment } }
