Connector Improvement: Event Hubs - Minimize required privileges
Answered
Summary: The current version of the Azure Event Hubs Fivetran connector does not adher to the 'Principle of Least Privilege'. It should be amended to 'Listen' to a specific event hubs instance, rather than 'Manage' the whole namespace.
Detail: The current version of the Azure Event Hubs Fivetran connector requires a shared access policy on the event hub namespace, with Manage, Send and Listen privileges.
This prevents the usage of this connector in situations that require adherence to the the 'Principle of Least Privilege' where only 'Listen' access should be granted to a specific event hub.
The image below shows the event hub shared access policy that is required for the current version of the connector:
The image below shows the preferred access policy that should be used by the connector, providing access to only a specific event hub and with only Listen privileges (this does not work with the current version of the connector):
-
Official comment
Hi Stephen,
Thank you for sharing. You are absolutely right we will get this onto the roadmap for a future release for our more security conscious customers. Our current configuration optimizes easy of configuration and setup, for customers who are comfortable with that trade of.
Best regards
Alison
-
Just following up here. We need the Managed Scope to list all topics.
If we used only Listen scope we would not be able to use one connector to sync data from multiple topics.
Best regards
Alison
Please sign in to leave a comment.
Comments
2 comments