Notes with cross-subscription Event Hub

Event Hub is an event processing cloud service which provides the ability to process millions of message per second and make them readable by external services. In the security monitoring scenario, you may see a use case that external consumer like SIEM (Security Information and Event Management) will retrieve near real-time logs from Event Hub before normalizing and providing analytical data for monitoring and threat hunting.

The monitoring becomes more critical if the environment is large, having many subscriptions and you’d like to monitor all of them. This article is not going to provide design pattern for security monitoring in Azure. Instead, it is a quick note around sending Diagnostic Log to Event Hub from a different subscription which you cannot really find in Microsoft Docs publicly.

Tenant Requirement

The very first prerequisite is that all the subscriptions must be under the same tenant. Even Event Hub uses SAS for authorizing access, sending logs over to the subscription is only supported when the source and the destination subscriptions are manage by the same AAD.

Event Hub Role Requirement

In fact, Azure supports to send emitted data from your subscription to Event Hub deployed in another one.

There are the following RBAC (Role-based Access Control) roles that must be assigned to the user or the service principal performing the configuration in the subscription where the target Event Hub is deployed:

  • Microsoft.EventHub/namespaces/eventhubs/read
  • Microsoft.EventHub/namespaces/read
  • Microsoft.EventHub/namespaces/authorizationRules/read
  • Microsoft.EventHub/namespaces/authorizationRules/listkeys/action

These roles are not configurable in Azure Portal. You must create a role definition programmatically then assign to the user (if you configure Diagnostics setting in Azure Portal) or service principal in case you do by using PowerShell ( Set-AzureRmDiagnosticSetting ) or ARM template deployment. Below is an example of custom RBAC construct:

{
    "Name": "Event Hub Access Reader",
    "ID": "XXX",
    "IsCustom": true,
    "Description" : " This role is used for Event Hub",
    "Actions" : [
        "Microsoft.EventHub/namespaces/eventhubs/read",
        "Microsoft.EventHub/namespaces/read",
        "Microsoft.EventHub/namespaces/authorizationRules/read",
        "Microsoft.EventHub/namespaces/authorizationRules/listkeys/action
    ],
    "NotActions": [],
    "DataActions": [],
    "NotDataActions": [],
    "AssignableScopes" : [
        "/subscriptions/a5007c5c-c629-98e1-a01a-5409i2b000be4"
    ]
}

If you apply principle of least privilege, you may consider creating a dedication role definition for Event Hub access to the target subscription only.

Authorization Rule Requirement

Basically sending message to Event Hub requires Send permission only. This is true if you are using a client program to work with Event Hub. With managed services the permission required is always Manage, Listen and Send. You will get error message if trying to use a custom access policy whose permission doesn’t meet the requirement:

This requirement may lead to a security concern if you aim to centralize diagnostics log to a single Event Hub by giving full controls to every subscription. Such a permission, data becomes readable easily by just a simple client utility using Azure Event Hub SDK. You may consider a different design in which each subscription will have each own Event Hub. This would be called separation of duty which would eliminate your security concern.

This entry was posted in Security Operation and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *