Framework/Configurations/SVT/Services/StreamAnalytics.json
{
"FeatureName": "StreamAnalytics", "Reference": "aka.ms/azsdktcp/streamanalytics", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_StreamAnalytics_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "StreamAnalytics110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Remove any excessive privileges granted on the Stream Analytics. Assign 'Log Analytics Contributor' RBAC role to developers who manages Stream Analytics configurations. Run command: Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help. Refer: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_StreamAnalytics_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.", "Id": "StreamAnalytics120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "Run command: Set-AzureRmDiagnosticSetting -ResourceId {'ResourceId'} -Enable `$true -StorageAccountId '{StorageAccountId}' -RetentionInDays $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) -RetentionEnabled `$true", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics" ], "Enabled": true }, { "ControlID": "Azure_StreamAnalytics_BCDR_Backup_Job_Queries", "Description": "Backup must be planned for Stream Analytics job queries.", "Id": "StreamAnalytics130", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Stream Analytics does not offer features to cover backup/disaster recovery out-of-the-box. As a result, for critical Stream Analytics queries, a team must have adequate backups of the data.", "Recommendation": "Ensure the queries in the Stream Analytics Job has been backed up from a BC-DR standpoint.", "Tags": [ "SDL", "TCP", "Manual", "BCDR" ], "Enabled": true }, { "ControlID": "Azure_StreamAnalytics_Audit_Issue_Alert_Runtime_Errors_Failed_Functions", "Description": "Alert rules must be configured for Runtime Errors and Failed Functions", "Id": "StreamAnalytics140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckStreamAnalyticsMetricAlert", "Rationale": "Using alert rules, one can ensure high availability of important/critical services by monitoring jobs and getting alerts for runtime errors and job failures.", "Recommendation": "Run the 2 commands: (1) Add-AzureRmMetricAlertRule -MetricName 'Errors' -Operator 'GreaterThan' -Threshold '0' -TimeAggregationOperator 'Total' -WindowSize '00:05:00' -Actions '<New-AzureRmAlertRuleEmail -SendToServiceOwners>' -Name '<Alert-Name-1>' -ResourceGroup '<RGName>' -TargetResourceId '<TargetResourceId>' -Location '<Location>'' (2) Add-AzureRmMetricAlertRule -MetricName 'AMLCalloutFailedRequests' -Operator 'GreaterThan' -Threshold '0' -TimeAggregationOperator 'Total' -WindowSize '00:05:00' -Actions '<New-AzureRmAlertRuleEmail -SendToServiceOwners>' -Name '<Alert-Name-2>' -ResourceGroup '<RGName>' -TargetResourceId '<TargetResourceId>' -Location '<Location>''. Note: Make sure you choose different names for Alert-Name-1 and Alert-Name-2 above. Run 'Get-Help Add-AzureRmMetricAlertRule -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "Audit" ], "Enabled": true }, { "ControlID": "Azure_StreamAnalytics_BCDR_Configure_Paired_Region", "Description": "Paired Regions should be configured for disaster recovery", "Id": "StreamAnalytics150", "ControlSeverity": "Low", "Automated": "No", "MethodName": "", "Rationale": "Paired namespaces help maintain consistent availability of a Stream Analytics based solution in case of an outage (e.g. throttling, storage issue, subsystem failure) in the primary region.", "Recommendation": "Critical jobs of Stream Analytics should be deployed to both paired regions. In addition to Stream Analytics internal monitoring capabilities, customers are also advised to monitor the jobs. If a break is identified to be a result of the Stream Analytics service update, escalate appropriately and fail over any downstream consumers to the healthy job output. Escalation to support will prevent the paired region from being affected by the new deployment and maintain the integrity of the paired jobs. Refer: https://docs.microsoft.com/en-us/azure/stream-analytics/stream-analytics-job-reliability", "Tags": [ "SDL", "Best Practice", "Manual", "BCDR" ], "Enabled": true } ] } |