Framework/Configurations/SVT/Services/StreamAnalytics.json
{
"FeatureName": "StreamAnalytics", "Reference": "aka.ms/azsktcp/streamanalytics", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_StreamAnalytics_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "StreamAnalytics110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Remove any excessive privileges granted on the Stream Analytics. Assign 'Log Analytics Contributor' RBAC role to developers who manages Stream Analytics configurations. Run command: Remove-AzRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help. Refer: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC", "StreamAnalytics" ], "Enabled": true }, { "ControlID": "Azure_StreamAnalytics_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.", "Id": "StreamAnalytics120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-archive-diagnostic-logs#archive-diagnostic-logs-using-the-portal", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics", "StreamAnalytics" ], "PolicyDefinitionGuid":"f9be5368-9bf5-4b84-9e0a-7850da98bb46", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46", "Enabled": true }, { "ControlID": "Azure_StreamAnalytics_BCDR_Backup_Job_Queries", "Description": "Backup must be planned for Stream Analytics job queries.", "Id": "StreamAnalytics130", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Stream Analytics does not offer features to cover backup/disaster recovery out-of-the-box. As a result, for critical Stream Analytics queries, a team must have adequate backups of the data.", "Recommendation": "Ensure the queries in the Stream Analytics Job has been backed up from a BC-DR standpoint.", "Tags": [ "SDL", "TCP", "Manual", "BCDR", "StreamAnalytics" ], "Enabled": true }, { "ControlID": "Azure_StreamAnalytics_Audit_Issue_Alert_Runtime_Errors_Failed_Functions", "Description": "Alert rules must be configured for Runtime Errors and Failed Functions", "Id": "StreamAnalytics140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckStreamAnalyticsMetricAlert", "Rationale": "Using alert rules, one can ensure high availability of important/critical services by monitoring jobs and getting alerts for runtime errors and job failures.", "Recommendation": "To setup alert rule for 'Failed Function Requests' and 'Runtime Errors' events: (1) Go to Stream Analytics service -> 'Alerts' -> 'New alert rule' -> 'Add condition' (2) Select Signal type as 'Metrics' -> Select 'Failed Function Requests'/'Runtime Errors' -> Select a. Operator = 'Greater Than' b. Aggregation type = 'Total' c. Threshold value = '0' and d. Aggregation granularity = '5 minute' (3) Select an existing Action Group or create a new one of type 'Email/SMS/Push/Voice'. Select 'Email' option and specify the email id.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "StreamAnalytics" ], "Enabled": true }, { "ControlID": "Azure_StreamAnalytics_BCDR_Configure_Paired_Region", "Description": "Paired Regions should be configured for disaster recovery", "Id": "StreamAnalytics150", "ControlSeverity": "Low", "Automated": "No", "MethodName": "", "Rationale": "Paired namespaces help maintain consistent availability of a Stream Analytics based solution in case of an outage (e.g. throttling, storage issue, subsystem failure) in the primary region.", "Recommendation": "Critical jobs of Stream Analytics should be deployed to both paired regions. In addition to Stream Analytics internal monitoring capabilities, customers are also advised to monitor the jobs. If a break is identified to be a result of the Stream Analytics service update, escalate appropriately and fail over any downstream consumers to the healthy job output. Escalation to support will prevent the paired region from being affected by the new deployment and maintain the integrity of the paired jobs. Refer: https://docs.microsoft.com/en-us/azure/stream-analytics/stream-analytics-job-reliability", "Tags": [ "SDL", "Best Practice", "Manual", "BCDR", "StreamAnalytics" ], "Enabled": true } ] } |