Framework/Configurations/SVT/Services/DataLakeStore.json
|
{
"FeatureName": "DataLakeStore", "Reference": "aka.ms/azsdkosstcp/adls", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_DataLakeStore_AuthN_AAD_For_Client_AuthN", "Description": "All users/applications are authenticated using Azure Active Directory (AAD) based credentials", "Id": "DataLakeStore110", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "No action required. ADLS supports only AAD authentication.", "Tags": [ "SDL", "Information", "Manual", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "DataLakeStore120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "Assign 'Owner' role to Data Lake Store creator at resource group scope. Refer: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_AuthZ_Assign_ACLs_On_FileSystem", "Description": "Access to Data Lake Store file system must be limited by using appropriate Access Control List (ACL). The 'Other' group must not have any access", "Id": "DataLakeStore130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckACLAccess", "Recommendation": "Use PS command 'Set-AzureRmDataLakeStoreItemAcl [-Account] <String> [-Path] <DataLakeStorePathInstance> [-Acl] <DataLakeStoreItemAcl>'. Refer: https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-secure-data#a-namefilepermissionsaassign-users-or-security-group-as-acls-to-the-azure-data-lake-store-file-system", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_AuthZ_Enable_Firewall", "Description": "Firewall should be enabled on Data Lake Store", "Id": "DataLakeStore140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckFirewall", "Recommendation": "Enable firewall and add rules for specific IP/IP ranges. Do not add the IP range $($this.ControlSettings.UniversalIPRange)) as it means open access for all IPs. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.datalakestore/add-azurermdatalakestorefirewallrule", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_DP_Use_AdlCopy_Securely", "Description": "AdlCopy tool must be used securly while copying data from storage blobs to Data Lake Store", "Id": "DataLakeStore150", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Use HTTPS URL for blob storage endpoint.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_DP_Use_DataFactory_Securely", "Description": "Data Factory must be used securely while moving data to or from the Data Lake Store", "Id": "DataLakeStore160", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Use service principal based authentication in the ADF linked service. Refer: https://docs.microsoft.com/en-us/azure/data-factory/data-factory-azure-datalake-connector#linked-service-properties", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_AuthZ_Use_SP_For_ADLS_Access", "Description": "Clients such as web jobs, standalone apps should use a service principal identity to access Data Lake Store", "Id": "DataLakeStore170", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Create a service principal and use ACLs on ADLS to grant it the least required access. Refer: https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-secure-data#a-namefilepermissionsaassign-users-or-security-group-as-acls-to-the-azure-data-lake-store-file-system", "Tags": [ "SDL", "Best Practice", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_DP_Encrypt_At_Rest", "Description": "Sensitive data must be encrypted at rest", "Id": "DataLakeStore180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckEncryptionAtRest", "Recommendation": "Enable encryption while creating Data Lake Store. Refer: https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-security-overview#data-protection", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_DP_Encrypt_In_Transit", "Description": "Sensitive data must be encrypted in transit", "Id": "DataLakeStore190", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "No action required. ADLS provides encryption in transit using HTTPS transport layer security.", "Tags": [ "SDL", "Information", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.", "Id": "DataLakeStore200", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Recommendation": "Enable 'Audit' and 'Requests' logs with retention days $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) or $($this.ControlSettings.Diagnostics_RetentionPeriod_Forever) (= forever).", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_Audit_Review_Logs", "Description": "Diagnostic logs for Data Lake Store should be reviewed periodically", "Id": "DataLakeStore210", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Review diagnostic/activity logs to check activities on the resource. Refer: https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-diagnostic-logs and https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs", "Tags": [ "SDL", "Best Practice", "Manual", "Audit" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_BCDR_Plan", "Description": "Backup and Disaster Recovery must be planned for Data Lake Store", "Id": "DataLakeStore220", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Ensure the critical business data in the Data Lake Store has been backed up from a BC-DR standpoint.", "Tags": [ "SDL", "TCP", "Manual", "BCDR" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_Config_Cleanup_Data", "Description": "Data in Data Lake Store should be cleaned up using file retention", "Id": "DataLakeStore230", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Set expiry date by navigating to file in ADLS data explorer and the 'Set Expiry' property or use PS Command 'Set-AzureRmDataLakeStoreItemExpiry [-Account] <String> [-Path] <DataLakeStorePathInstance> [[-Expiration] <DateTimeOffset>]'", "Tags": [ "SDL", "Best Practice", "Manual", "Config" ], "Enabled": true } ] } |