Framework/Configurations/SVT/Services/AnalysisServices.json
|
{
"FeatureName": "AnalysisServices", "Reference": "aka.ms/azsdkosstcp", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_AnalysisServices_AuthZ_Grant_Min_RBAC_Access", "Description": "All Users/Identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "AnalysisServices110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "Clean up any unauthorized access on the Analysis service. Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}}' -RoleDefinitionName {role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' to get the complete details about this command. Refer Links - https://docs.microsoft.com/en-us/sql/analysis-services/multidimensional-models/roles-and-permissions-analysis-services, https://docs.microsoft.com/en-us/azure/analysis-services/analysis-services-manage-users, https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_AnalysisServices_AuthZ_Min_Admin", "Description": "Minimize the number of Analysis Service admins", "Id": "AnalysisServices120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAnalysisServicesAdmin", "Recommendation": "Add minimum number of Analysis Service admins, Run command Set-AzureRmAnalysisServicesServer -Name '{AnalysisServicesServerName}' -ResourceGroupName '{ResourceGroupName}' -Administrator '{Administrator}'. Refer Link - https://docs.microsoft.com/en-us/powershell/module/azurerm.analysisservices/set-azurermanalysisservicesserver?view=azurermps-3.8.0", "Tags": [ "SDL", "Best Practice", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_AnalysisServices_AuthZ_Users_Min_DB_Permission", "Description": "Database users must be added to database roles with minimum required permission", "Id": "AnalysisServices130", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Database users must be added to database roles. Roles define users and groups that have the same permissions for a database. By default, tabular model databases have a default Users role with Read permissions. Refer Link - https://docs.microsoft.com/en-us/azure/analysis-services/analysis-services-manage-users", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_AnalysisServices_AuthN_Analysis_Service_Clients", "Description": "Analysis Service clients should authenticate users using Azure Active Directory backed credentials", "Id": "AnalysisServices140", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Analysis Services clients like 'Power BI', 'Excel' or any BI Tools should authenticate users using Azure Active Directory backed credentials. Reference Link for Power BI - https://docs.microsoft.com/en-us/azure/power-bi-embedded/power-bi-embedded-app-token-flow. Reference Link for Excel - https://docs.microsoft.com/en-us/azure/analysis-services/analysis-services-connect-excel", "Tags": [ "SDL", "Best Practice", "Manual", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_AnalysisServices_DP_Encrypt_In_Transit", "Description": "Sensitive data in transit must be encrypted", "Id": "AnalysisServices150", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Sensitive data like email addresses, phone numbers, credit card numbers, passwords must be encrypted through out the Analysis Service.Refer Link - https://blogs.msdn.microsoft.com/jason_howell/2013/02/26/how-do-i-ensure-analysis-services-client-tcp-connectivity-is-encrypted/", "Tags": [ "SDL", "Information", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_AnalysisServices_DP_Encrypt_At_Rest", "Description": "Sensitive data must be encrypted at rest", "Id": "AnalysisServices160", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Azure Analysis Services utilize Azure Blob storage to persist storage and metadata for Analysis Services databases. Data files within Blob must be encrypted using Azure Blob Server Side Encryption (SSE). Run command 'Set-AzureRmStorageAccount -Name '<StorageAccountName>' -ResourceGroupName '<RGName>' -EnableEncryptionService 'Blob''. Run 'Get-Help Set-AzureRmStorageAccount -full' to get the complete details about this command.", "Tags": [ "SDL", "Information", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_AnalysisServices_BCDR_Plan", "Description": "Backup and Disaster Recovery must be planned for Analysis Services", "Id": "AnalysisServices170", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAnalysisServicesBCDRStatus", "Recommendation": "Go To Azure Portal => Analysis Services => Select Analysis Service => Go To Settings => Select Backups => Select Storage account details and Enabled Backups, Refer Link - https://docs.microsoft.com/en-us/azure/analysis-services/analysis-services-backup", "Tags": [ "SDL", "Best Practice", "Automated", "BCDR" ], "Enabled": true } ] } |