Governance Policies Azure Data Event Grid - Azure/az-prototype GitHub Wiki
Governance policies for Event Grid
Domain: azure-data
| Name | Description |
|---|---|
| Event Grid topic with private endpoint and dead-letter | Production Event Grid with Entra auth, private endpoint, and dead-letter storage |
| Description | Instead |
|---|---|
| Do not use SAS keys for Event Grid authentication | Disable local auth and use Entra RBAC with managed identity |
| Do not create event subscriptions without dead-letter configuration | Always configure a dead-letter destination for undeliverable events |
| Check | Severity | Description |
|---|---|---|
| AZ-EG-001 | Required | Deploy Event Grid topic with managed identity, TLS 1.2, local auth disabled, and public access off |
| AZ-EG-002 | Required | Configure event subscriptions with dead-letter destination and retry policy |
| AZ-EG-003 | Recommended | Use managed identity for event delivery to Azure destinations |
| AZ-EG-004 | Recommended | Enable diagnostic settings for Event Grid topic |
Deploy Event Grid topic with managed identity, TLS 1.2, local auth disabled, and public access off
Severity: Required
Rationale: Managed identity enables secure delivery; disabling local auth prevents SAS key usage
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.EventGrid/topics
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateEndpoints | pe-eventgrid | Private endpoint for Event Grid topic with groupId 'topic' |
| Microsoft.Network/privateDnsZones | privatelink.eventgrid.azure.net | Private DNS zone for Event Grid private endpoint resolution |
| Microsoft.EventGrid/topics/eventSubscriptions | eg-subscription | Event subscription defining delivery destination and filtering rules |
| Microsoft.Insights/diagnosticSettings | diag-eventgrid | Diagnostic settings routing delivery and publish failure logs to Log Analytics |
Configure event subscriptions with dead-letter destination and retry policy
Severity: Required
Rationale: Without dead-letter, undeliverable events are lost; retry policy handles transient failures
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.EventGrid/topics
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Storage/storageAccounts | st-deadletter | Storage account hosting the dead-letter blob container for undeliverable events |
Use managed identity for event delivery to Azure destinations
Severity: Recommended
Rationale: Managed identity eliminates the need for access keys or connection strings in delivery configuration
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.EventGrid/topics
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Authorization/roleAssignments | Event Grid Data Sender | Grants Event Grid identity permission to send events to the destination resource |
Enable diagnostic settings for Event Grid topic
Severity: Recommended
Rationale: Monitor delivery success rates, failures, and dead-lettered events
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.EventGrid/topics
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.OperationalInsights/workspaces | log-analytics | Log Analytics workspace as destination for Event Grid diagnostic logs |