Framework/Configurations/SVT/Services/DataLakeAnalytics.json
|
{
"FeatureName": "DataLakeAnalytics", "Reference": "aka.ms/azsdkosstcp/adla", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_DataLakeAnalytics_AuthZ_Assign_Required_RBAC_To_Creator", "Description": "Data Lake Analytics creator must be granted only required Role Based Access Control (RBAC) access on Subscription/Resource Group/Resource", "Id": "DataLakeAnalytics110", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Assign 'Owner' privilege only at resource group and default data lake store account scope.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_DataLakeAnalytics_AuthN_AAD_For_Client_AuthN", "Description": "All Data Lake Analytics users/service principal must be authenticated using AAD backed credentials", "Id": "DataLakeAnalytics120", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "No action required. ADLA supports only AAD authentication.", "Tags": [ "SDL", "Information", "Manual", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_DataLakeAnalytics_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "DataLakeAnalytics130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "Assign only the 'Data Lake Analytics Developer' RBAC role to developers who manage U-SQL jobs. Refer: https://docs.microsoft.com/en-us/azure/data-lake-analytics/data-lake-analytics-manage-use-portal#manage-users", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_DataLakeAnalytics_AuthZ_Assign_Least_Privilege_ACL", "Description": "Data Lake Analytics developer (user/service principal) must have least required ACLs on Catalog/Database and Data Lake Store file system", "Id": "DataLakeAnalytics140", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Navigate to Azure Portal --> Data Lake Analytics Account --> Add User Wizard option to add users. Ensure least necessary privileges are granted.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_DataLakeAnalytics_Config_Storage_Datasource_Securely", "Description": "Storage account data source must be added securely", "Id": "DataLakeAnalytics150", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Setup storage data source using PowerShell command 'Add-AzureRmDataLakeAnalyticsDataSource -ResourceGroupName <ResourceGroup> -Account <ADLAAccount> -AzureBlob <StorageAccount> -AccessKey ((Get-AzureRmStorageAccountKey -ResourceGroupName <ResourceGroupOfStorageAccount> -Name <StorageAccountName>).Key1", "Tags": [ "SDL", "Best Practice", "Manual", "Config" ], "Enabled": true }, { "ControlID": "Azure_DataLakeAnalytics_DP_Encrypt_Connection_Strings", "Description": "Secrets to access SQL Azure/SQL VM/SQL Data Warehouse must be securely stored under Catalog database credentials", "Id": "DataLakeAnalytics160", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Password of the account used to access SQL Azure must be created as a new catalog secret using the 'New-AzureRmDataLakeAnalyticsCatalogSecret' PS command. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.datalakeanalytics/new-azurermdatalakeanalyticscatalogsecret. Then create credential object for this cataglog secret using the U-SQL command 'CREATE CREDENTIAL', Refer: https://docs.microsoft.com/en-us/azure/sql-data-warehouse/sql-data-warehouse-load-from-azure-data-lake-store#configure-the-data-source", "Tags": [ "SDL", "Best Practice", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_DataLakeAnalytics_SI_USQL_Script_Integrity", "Description": "U-SQL script file(s) must be uploaded from a secured/trusted location", "Id": "DataLakeAnalytics170", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Make sure that the client machine used to upload scripts is secure (Antimalware, patching, etc.). Also, do not upload files that have originated from potentially untrusted sites.", "Tags": [ "SDL", "TCP", "Manual", "SI" ], "Enabled": true }, { "ControlID": "Azure_DataLakeAnalytics_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.", "Id": "DataLakeAnalytics180", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Recommendation": "Enable 'Audit' and 'Requests' logs with retention days $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) or $($this.ControlSettings.Diagnostics_RetentionPeriod_Forever) (= forever). Run PS command 'Set-AzureRmDiagnosticSetting -ResourceId <ResourceId> -Enable $true -StorageAccountId <StorageAccountId> -RetentionInDays 365 -RetentionEnabled $true'", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics" ], "Enabled": true }, { "ControlID": "Azure_DataLakeAnalytics_DP_Encrypt_At_Rest", "Description": "Sensitive data must be encrypted at rest", "Id": "DataLakeAnalytics190", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckEncryptionAtRest", "Recommendation": "Default Data Lake Store Account must have encryption enabled. Refer: https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-security-overview#data-protection", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "Azure_DataLakeAnalytics_DP_Encrypt_In_Transit", "Description": "Sensitive data must be encrypted in transit", "Id": "DataLakeAnalytics200", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "No action required. ADLA provides encryption in transit using HTTPS transport layer security.", "Tags": [ "SDL", "Information", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_DataLakeAnalytics_BCDR_Plan_Default_Data_Lake_Store", "Description": "Backup and Disaster Recovery must be planned for the default Data Lake Store account", "Id": "DataLakeAnalytics210", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Ensure that any critical business/catalog data in the default Data Lake Store has been backed up from a BC-DR standpoint.", "Tags": [ "SDL", "TCP", "Manual", "BCDR" ], "Enabled": true }, { "ControlID": "Azure_DataLakeAnalytics_Audit_Review_Logs", "Description": "Diagnostic and activity logs for Data Lake Analytics should be reviewed periodically", "Id": "DataLakeAnalytics220", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Review diagnostic/activity logs to check activities on the resource. Refer: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-of-diagnostic-logs and https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs", "Tags": [ "SDL", "Best Practice", "Manual", "Audit" ], "Enabled": true } ] } |