Framework/Configurations/SVT/Services/HDInsight.json
{
"FeatureName": "HDInsight", "Reference": "aka.ms/azsktcp/hdinsight", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_HDInsight_Deploy_Supported_Cluster_Version", "Description": "HDInsight must have supported HDI cluster version", "Id": "HDInsight110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckClusterVersion", "Rationale": "Being on the latest/supported HDInsight version significantly reduces risks from security bugs or updates that may be present in older or retired cluster versions.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-component-versioning?#supported-hdinsight-versions https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-upgrade-cluster", "Tags": [ "SDL", "TCP", "Manual", "SI", "HDInsight" ], "Enabled": true, "PolicyDefinitionGuid": "HDInsight110" }, { "ControlID": "Azure_HDInsight_AuthN_Use_SSH_Keys_For_Login", "Description": "Use Public-Private key pair together with a passcode for SSH login", "Id": "HDInsight120", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Public-Private key pair help to protect against password guessing and brute force attacks", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-linux-use-ssh-unix", "Tags": [ "SDL", "TCP", "Manual", "SI", "HDInsight" ], "Enabled": true }, { "ControlID": "Azure_HDInsight_AuthZ_Restrict_Cluster_Network_Access", "Description": "HDInsight cluster access must be restricted using virtual network or Azure VPN gateway service with NSG traffic rules", "Id": "HDInsight130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckClusterNetworkProfile", "Rationale": "Restricting cluster access with inbound and outbound traffic via NSGs limits the network exposure for cluster and reduces the attack surface.", "Recommendation": "You should restrict IP range and port as per application needs. Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-extend-hadoop-virtual-network. Note: In case the IP range is indeterminate (for instance, if the client is a PaaS endpoint), you may need to attest this control.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "HDInsight", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_HDInsight_DP_Storage_Encrypt_In_Transit", "Description": "Secure transfer protocol must be used for accessing storage account resources", "Id": "HDInsight140", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Use of secure transfer ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks. When enabling HTTPS one must remember to simultaneously disable access over plain HTTP else data can still be subject to compromise over clear text connections.", "Recommendation": "https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-create-linux-clusters-with-secure-transfer-storage?toc=%2Fen-us%2Fazure%2Fhdinsight%2Fstorm%2FTOC.json&bc=%2Fen-us%2Fazure%2Fbread%2Ftoc.json", "Tags": [ "SDL", "TCP", "Manual", "DP", "HDInsight" ], "Enabled": true }, { "ControlID": "Azure_HDInsight_DP_Storage_Encrypt_At_Rest", "Description": "Storage used for cluster must have encryption at rest enabled", "Id": "HDInsight150", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements.", "Recommendation": "https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-create-linux-clusters-with-secure-transfer-storage?toc=%2Fen-us%2Fazure%2Fhdinsight%2Fstorm%2FTOC.json&bc=%2Fen-us%2Fazure%2Fbread%2Ftoc.json", "Tags": [ "SDL", "TCP", "Manual", "DP", "HDInsight" ], "Enabled": true }, { "ControlID": "Azure_HDInsight_DP_Dont_Store_Data_On_Cluster_Nodes", "Description": "Sensitive data must be stored on storage linked to cluster and not on cluster node disks", "Id": "HDInsight160", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Cluster node restart may cause loss of data present on cluster nodes. Also currently HDInsight does not support encryption at rest for cluster node disk.", "Recommendation": "All data must be stored on storage linked with HDInsight cluster", "Tags": [ "SDL", "TCP", "Manual", "DP", "HDInsight" ], "Enabled": true }, { "ControlID": "Azure_HDInsight_AuthZ_Restrict_Network_Access_To_Cluster_Storage", "Description": "Access to cluster's storage must be restricted to virtual network of the cluster", "Id": "HDInsight170", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Restricting storage access within cluster network boundary reduces the attack surface.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-linux-use-ssh-unix", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "HDInsight", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_HDInsight_AuthZ_Grant_Min_RBAC_Access_For_Cluster_Operations", "Description": "All users/identities must be granted minimum required cluster operation permissions using Ambari Role Based Access Control (RBAC)", "Id": "HDInsight180", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-authorize-users-to-Ambari#assign-users-to-roles", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "RBAC", "HDInsight" ], "Enabled": true }, { "ControlID": "Azure_HDInsight_AuthZ_Restrict_Access_To_Ambari_Views", "Description": "Only required users/identities must be granted access to Ambari views", "Id": "HDInsight190", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Granting access to only required users to Ambari views ensures minimum exposure of underline data resources.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-authorize-users-to-Ambari#grant-permissions-to-hive-views", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "RBAC", "HDinsight" ], "Enabled": true }, { "ControlID": "Azure_HDInsight_DP_Rotate_Admin_Password", "Description": "Ambari admin password must be renewed after a regular interval", "Id": "HDInsight111", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-administer-use-portal-linux#change-passwords", "Tags": [ "SDL", "TCP", "Manual", "DP", "HDinsight" ], "Enabled": true, "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks." }, { "ControlID": "Azure_HDInsight_Audit_Use_Diagnostics_Log", "Description": "Diagnostics must be enabled for cluster operations", "Id": "HDInsight122", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Diagnostics logs are needed for creating activity trail while investigating an incident or a compromise.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-linux-use-ssh-unix", "Tags": [ "SDL", "TCP", "Manual", "Audit", "HDInsight" ], "Enabled": true }, { "ControlID": "Azure_HDInsight_DP_No_PlainText_Secrets_In_Notebooks", "Description": "Secrets and keys must not be in plain text in notebooks and jobs", "Id": "HDInsight133", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Keeping secrets such as connection strings, passwords, keys, etc. in clear text can lead to easy compromise. Storing them in a secure place (like KeyVault) ensures that they are protected at rest.", "Recommendation": "Use a key vault backed secret scopes to store any secrets and keys and read them from the respective secret scopes in notebooks and jobs.", "Tags": [ "SDL", "TCP", "Manual", "Audit", "HDInsight" ], "Enabled": true } ] } |