Framework/Configurations/SVT/Services/Batch.json

{
    "FeatureName": "Batch",
    "Reference": "aka.ms/azsktcp/batch",
    "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_Batch_AuthZ_Grant_Min_RBAC_Access",
      "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
      "Id": "Batch110",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRBACAccess",
      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
      "Recommendation": "Remove any excessive privileges granted on the Batch service. Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help. Refer: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC",
        "Batch"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Batch_DP_Encrypt_Linked_Storage",
      "Description": "Storage Account, linked with Batch account, must be protected using Storage Service Encryption (SSE)",
      "Id": "Batch120",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements.",
      "Recommendation": "Default behavior. No action required.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "Information",
        "DP",
        "Batch"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Batch_DP_Protect_Secrets_On_Compute_Nodes",
      "Description": "Secrets associated with tasks must be protected on Batch service compute nodes",
      "Id": "Batch130",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Encrypting the sensitive data like secrets/keys minimizes the exposure until runtime. Using the uploaded certificates, compute nodes can decrypt the secrets as needed at runtime.",
      "Recommendation": "Certificates need to be installed on the compute nodes used by Batch in order to protect sensitive information. Run command New-AzureBatchCertificate -FilePath '{FilePath}' -BatchContext '{BatchContext}' -Password '{Password}'. Note: Password value should be a secure string variable. Please refer https://docs.microsoft.com/en-us/azure/batch/batch-api-basics#security-with-certificates",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP",
        "Batch"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Batch_DP_Rotate_Access_Keys",
      "Description": "Batch account access keys must be rotated periodically",
      "Id": "Batch140",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks.",
      "Recommendation": "Rotate Batch account access keys at regular intervals as per business requirement. Run command New-AzureRmBatchAccountKey -AccountName '{AccountName}' -KeyType '{KeyType}' -ResourceGroupName '{ResourceGroupName}' Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.batch/new-azurermbatchaccountkey",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP",
        "Batch"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Batch_NetSec_Disable_RDP_Connection",
      "Description": "Remote desktop connection should be disabled on Batch account compute nodes",
      "Id": "Batch150",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Open RDP/remote management connections expose a VM/compute node to a high level of risk from internet-based attacks that attempt to brute force credentials to gain access to the machine.",
      "Recommendation": "Remote desktop connection should be disabled. Refer: https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-role-enable-remote-desktop-powershell",
      "Tags": [
        "SDL",
        "Best Practice",
        "Manual",
        "NetSec",
        "Batch"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Batch_BCDR_Persist_Output_To_Storage",
      "Description": "Batch account tasks and jobs should be configured to persist output to Azure Blob Storage",
      "Id": "Batch160",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Batch service works on the compute nodes. It is good to persist the data into SSE enabled storage account. Otherwise, on the crash of compute node, would result in the data loss.",
      "Recommendation": "Use Azure blob storage to persist Batch account tasks and jobs. Refer: https://docs.microsoft.com/en-us/azure/batch/batch-task-output",
      "Tags": [
        "SDL",
        "Best Practice",
        "Manual",
        "BCDR",
        "Batch"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Batch_Audit_Enable_Diagnostics_Log",
      "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days",
      "Id": "Batch170",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckDiagnosticsSettings",
      "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.",
      "Recommendation": "Run command: Set-AzureRmDiagnosticSetting -ResourceId {'ResourceId'} -Enable `$true -StorageAccountId '{StorageAccountId}' -RetentionInDays $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) -RetentionEnabled `$true. Alternatively, you can also change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-archive-diagnostic-logs#archive-diagnostic-logs-using-the-portal",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "Audit",
        "Diagnostics",
        "Batch"
      ],
      "PolicyDefinitionGuid":"428256e6-1fac-4f48-a757-df34c2b3336d",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d",
      "Enabled": true
    },
    {
      "ControlID": "Azure_Batch_Audit_Enable_Metric_Alert",
      "Description": "Metric alert rules must be configured on Batch account",
      "Id": "Batch180",
      "ControlSeverity": "Low",
      "Automated": "Yes",
      "MethodName": "CheckBatchMetricAlert",
      "Rationale": "Metric alerts should be enabled to get alerts for issues that impacts the performance of batch resource when a metric crosses a certain threshold.",
      "Recommendation": "Add or update a metric-based alert rule by using command Add-AzureRmMetricAlertRule -Location '{Location}'-MetricName 'PoolDeleteCompleteEvent' -Name '{alertName}' -Operator 'GreaterThan' -ResourceGroup '{ResourceGroupName}' -TargetResourceId '{TargetResourceId}' -Threshold 0 -TimeAggregationOperator 'Total' -WindowSize '01:00:00' -Action '{Comma-separated list of actions}'",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "Audit",
        "Batch"
      ],
      "Enabled": true
    }
  ]
}