Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides you with sample custom Azure policies to control the destinations that can be configured in Event Grid's event subscriptions. Azure Policy helps you enforce organizational standards and regulatory compliance for different concerns such as security, cost, resource consistency, management, etc. Prominent among those concerns are security compliance standards that help maintain a security posture for your organization. To help you with your security controls, the policies presented in this article help you prevent data exfiltration or the delivery of events to unauthorized endpoints or Azure services.
Note
Azure Event Grid provides built-in policies for compliance domains and security controls related to several compliance standards. You can find those built-in policies in Event Grid's Microsoft Cloud Security Benchmark.
To prevent data exfiltration, organizations may want to limit the destinations to which Event Grid can deliver events. This can be done by assigning policies that allow the creation or update of event subscriptions that have as a destination one of the sanctioned destinations in the policy. The policy effect used to prevent a resource request to succeed is deny.
The following sections show sample policy definitions that enforce a list of allowed destinations. You want to search for property aliases that contain destination and use it as the field to compare to a list of allowed destinations when defining a policy.
You can find the property aliases defined for Event Grid (use namespace Microsoft.EventGrid) by running CLI or PowerShell commands described in this article section.
For more information about defining policies, consult the article Azure Policy definition structure.
The following policy definition restricts webhook endpoint destinations configured in an event subscription for a system topic.
{
"mode": "All",
"policyRule": {
"if": {
"not": {
"field": "Microsoft.EventGrid/systemTopics/eventSubscriptions/destination.WebHook.endpointUrl",
"in": "[parameters('allowedDestinationEndpointURLs')]"
}
},
"then": {
"effect": "deny"
}
},
"parameters": {
"allowedDestinationEndpointURLs": {
"type": "Array",
"metadata": {
"description": "Allowed event destination endpoint URLs.",
"displayName": "The list of allowed webhook endpoint destinations to which send events"
},
"allowedValues": [
"https://www.your-valid-destination-goes-here-1.com",
"https://www.your-valid-destination-goes-here-2.com",
"https://www.your-valid-destination-goes-here-3.com"
]
}
}
}
The following policy definition restricts a specific Event Hubs destination configured in an event subscription for a custom topic. You can use a similar approach for other type of supported Azure service destinations.
{
"mode": "All",
"policyRule": {
"if": {
"not": {
"field": "Microsoft.EventGrid/eventSubscriptions/destination.EventHub.resourceId",
"in": "[parameters('allowedResourceDestinations')]"
}
},
"then": {
"effect": "deny"
}
},
"parameters": {
"allowedResourceDestinations": {
"type": "Array",
"metadata": {
"description": "The list of allowed event delivery destinations.",
"displayName": "Allowed event delivery destinations"
},
"allowedValues": [
"/subscriptions/<your-event-subscription>/resourceGroups/<your-resource-group>/providers/Microsoft.EventHub/namespaces/<event-hubs-namespace-name>/eventhubs/<your-event-hub-name>"
]
}
}
}
- To learn more about Azure Policy, refer to the following articles:
- To learn more about Azure Event Grid, consult the articles under the Concepts section such as the Event Grid terminology.