module/ConfigurationProvider/ControlConfigurations/Services/HDInsight.json
|
{
"FeatureName": "HDInsight", "Reference": "aka.ms/azsktcp/hdinsight", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_HDInsight_Deploy_Supported_Cluster_Version", "Description": "HDInsight must have supported HDI cluster version", "Id": "HDInsight110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckClusterVersion", "DisplayName": "HDInsight must have supported HDI cluster version", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Being on the latest/supported HDInsight version significantly reduces risks from security bugs or updates that may be present in older or retired cluster versions.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-component-versioning?#supported-hdinsight-versions https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-upgrade-cluster", "Tags": [ "SDL", "TCP", "Manual", "SI", "HDInsight", "Baseline", "Weekly", "CSEOPilotP1", "CSEOPilotSub" ], "Enabled": true, "ControlSettings": { "MinRequiredClusterVersion": "3.6.0" }, "CustomTags": [ "CSEOBaseline", "CSEOPilot" ] }, { "ControlID": "Azure_HDInsight_AuthN_Use_SSH_Keys_For_Login", "Description": "Use Public-Private key pair together with a passcode for SSH login", "Id": "HDInsight120", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Public-Private key pair help to protect against password guessing and brute force attacks", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-linux-use-ssh-unix", "Tags": [ "SDL", "TCP", "Manual", "SI", "HDInsight" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_HDInsight_NetSec_Restrict_Cluster_Network_Access", "DisplayName": "HDInsight cluster access must be restricted using virtual network or Azure VPN gateway service with NSG traffic rules", "Description": "HDInsight cluster access must be restricted using virtual network or Azure VPN gateway service with NSG traffic rules", "Id": "HDInsight130", "ControlSeverity": "High", "Automated": "Yes", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "MethodName": "CheckClusterNetworkProfile", "Rationale": "Restricting cluster access with inbound and outbound traffic via NSGs limits the network exposure for cluster and reduces the attack surface.", "Recommendation": "You should restrict IP range and port as per application needs. Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-extend-hadoop-virtual-network. Note: In case the IP range is indeterminate (for instance, if the client is a PaaS endpoint), you may need to attest this control.", "ControlEvaluationDetails": { "RequiredProperties": [ "ComputeProfile" ] }, "Tags": [ "Baseline", "Weekly", "SDL", "TCP", "NetSec", "HDInsight" ], "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_HDInsight_DP_Storage_Encrypt_In_Transit", "Description": "Secure transfer protocol must be used for accessing storage account resources", "Id": "HDInsight140", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Use of secure transfer ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks. When enabling HTTPS one must remember to simultaneously disable access over plain HTTP else data can still be subject to compromise over clear text connections.", "Recommendation": "https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-create-linux-clusters-with-secure-transfer-storage?toc=%2Fen-us%2Fazure%2Fhdinsight%2Fstorm%2FTOC.json&bc=%2Fen-us%2Fazure%2Fbread%2Ftoc.json", "Tags": [ "SDL", "TCP", "Manual", "DP", "HDInsight" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_HDInsight_DP_Storage_Encrypt_At_Rest", "Description": "Storage used for cluster must have encryption at rest enabled", "Id": "HDInsight150", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements.", "Recommendation": "https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-create-linux-clusters-with-secure-transfer-storage?toc=%2Fen-us%2Fazure%2Fhdinsight%2Fstorm%2FTOC.json&bc=%2Fen-us%2Fazure%2Fbread%2Ftoc.json", "Tags": [ "SDL", "TCP", "Manual", "DP", "HDInsight" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_HDInsight_DP_Dont_Store_Data_On_Cluster_Nodes", "Description": "Sensitive data must be stored on storage linked to cluster and not on cluster node disks", "Id": "HDInsight160", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Cluster node restart may cause loss of data present on cluster nodes. Also currently HDInsight does not support encryption at rest for cluster node disk.", "Recommendation": "All data must be stored on storage linked with HDInsight cluster", "Tags": [ "SDL", "TCP", "Manual", "DP", "HDInsight" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_HDInsight_AuthZ_Restrict_Network_Access_To_Cluster_Storage", "Description": "Access to cluster's storage must be restricted to virtual network of the cluster", "Id": "HDInsight170", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Restricting storage access within cluster network boundary reduces the attack surface.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-linux-use-ssh-unix", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "HDInsight" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_HDInsight_AuthZ_Grant_Min_RBAC_Access_For_Cluster_Operations", "Description": "All users/identities must be granted minimum required cluster operation permissions using Ambari Role Based Access Control (RBAC)", "Id": "HDInsight180", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-authorize-users-to-Ambari#assign-users-to-roles", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "RBAC", "HDInsight" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_HDInsight_AuthZ_Restrict_Access_To_Ambari_Views", "Description": "Only required users/identities must be granted access to Ambari views", "Id": "HDInsight190", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Granting access to only required users to Ambari views ensures minimum exposure of underline data resources.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-authorize-users-to-Ambari#grant-permissions-to-hive-views", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "RBAC", "HDinsight" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_HDInsight_DP_Rotate_Admin_Password", "Description": "Ambari admin password must be renewed after a regular interval", "Id": "HDInsight111", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-administer-use-portal-linux#change-passwords", "Tags": [ "SDL", "TCP", "Manual", "DP", "HDinsight" ], "Enabled": false, "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks.", "CustomTags": [] }, { "ControlID": "Azure_HDInsight_Audit_Use_Diagnostics_Log", "Description": "Diagnostics must be enabled for cluster operations", "Id": "HDInsight122", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Diagnostics logs are needed for creating activity trail while investigating an incident or a compromise.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-linux-use-ssh-unix", "Tags": [ "SDL", "TCP", "Manual", "Audit", "HDInsight" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_HDInsight_DP_No_PlainText_Secrets_In_Notebooks", "Description": "Secrets and keys must not be in plain text in notebooks and jobs", "Id": "HDInsight133", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Keeping secrets such as connection strings, passwords, keys, etc. in clear text can lead to easy compromise. Storing them in a secure place (like KeyVault) ensures that they are protected at rest.", "Recommendation": "Use a key vault backed secret scopes to store any secrets and keys and read them from the respective secret scopes in notebooks and jobs.", "Tags": [ "SDL", "TCP", "Manual", "Audit", "HDInsight" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_HDInsight_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for HDInsight cluster", "Id": "HDInsight144", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckClusterTLSVersion", "DisplayName": "Use approved version of TLS for HDInsight cluster", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides privacy and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "The TLS setting can only be configured during cluster creation using either the Azure portal, or a Resource Manager template. Refer: https://docs.microsoft.com/en-us/azure/hdinsight/transport-layer-security", "Tags": [ "SDL", "TCP", "DP", "Automated", "HDInsight", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [], "ControlSettings": { "MinReqTLSVersion": "1.2" } } ] } |