diff --git a/articles/azure-monitor/roles-permissions-security.md b/articles/azure-monitor/roles-permissions-security.md index 108e230abc..db9725ca3f 100644 --- a/articles/azure-monitor/roles-permissions-security.md +++ b/articles/azure-monitor/roles-permissions-security.md @@ -143,7 +143,7 @@ $resourceGroup = "ResourceGroupName" [Data in Azure Monitor](data-platform.md) can be sent in a storage account or streamed to an event hub, both of which are general-purpose Azure resources. Being general-purpose resources, creating, deleting, and accessing them is a privileged operation reserved for an administrator. Since this data can contain sensitive information such as IP addresses or user names, use the following practices for monitoring-related resources to prevent misuse: -* Use a single, dedicated storage account for monitoring data. If you need to separate monitoring data into multiple storage accounts, always use different storage accounts for monitoring data and other types of data. If you share storage accounts for monitoring and other types of data, you might inadvertently grant access to other data to organizations that should only access monitoring data. For example, a non-Microsoft organization for security information and event management should need only access to monitoring data. +* Use a single, dedicated storage account for monitoring data. If you need to separate monitoring data into multiple storage accounts, the storage accounts should be used only for monitoring data. If you share storage accounts for monitoring and other types of data, you might inadvertently grant access to other data to organizations that should only access monitoring data. For example, a non-Microsoft organization for security information and event management should need only access to monitoring data. * Use a single, dedicated service bus or event hub namespace across all diagnostic settings for the same reason described in the previous point. * Limit access to monitoring-related storage accounts or event hubs by keeping them in a separate resource group. [Use scope](/azure/role-based-access-control/overview#scope) on your monitoring roles to limit access to only that resource group. * You should never grant the ListKeys permission for either storage accounts or event hubs at subscription scope when a user only needs access to monitoring data. Instead, give these permissions to the user at a resource or resource group scope (if you have a dedicated monitoring resource group).