Ensure shared access policies are not used for IoT Hub Device Provisioning Service (DPS)

HIGH

Description

Azure IoT Hub Device Provisioning Service (DPS) shared access policies expose the IoT Hub to potential security vulnerabilities inherent in security tokens.

Remediation

In Azure Console -

Open the Azure Portal and go to IoT Hub.
Choose the IoT Hub DPS you wish to edit.
Under Security settings, select Shared Access Policies.
Delete any user-created shared access policies found.
Note: for identity and access management, see the Azure documentation.

In Terraform -

For each azurerm_iothub_dps resource, remove any azurerm_iothub_dps_shared_access_policy resources.

References:
https://learn.microsoft.com/en-us/azure/iot-dps/concepts-roles-operations
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/iothub_dps_shared_access_policy

Policy Details

Rule Reference ID: AC_AZURE_0092

CSP: Azure

Remediation Available: No

Domain: Infrastructure Security

Resource: azurerm_iothub_dps

Resource Category: Virtual Network

Resource Type: IoT Hub

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0