Framework/Configurations/SVT/Services/Batch.json
|
{
"FeatureName": "Batch", "Reference": "aka.ms/azsdktcp/batch", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_Batch_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "Batch110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Remove any excessive privileges granted on the Batch service. Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help. Refer: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_Batch_DP_Encrypt_Linked_Storage", "Description": "Storage Account, linked with Batch account, must be protected using Storage Service Encryption (SSE)", "Id": "Batch120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBatchStorageSSE", "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements.", "Recommendation": "Enable Storage Service Encryption for the storage account linked to the Batch account, Run command Set-AzureRmStorageAccount -ResourceGroupName '{ResourceGroupName}' -Name '{StorageName}' -EnableEncryptionService 'Blob' ", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "Azure_Batch_DP_Protect_Secrets_On_Compute_Nodes", "Description": "Secrets must be protected on Batch account compute nodes", "Id": "Batch130", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "", "Recommendation": "Certificates need to be installed on the compute nodes used by Batch in order to protect sensitive information. Run command New-AzureBatchCertificate -FilePath '{FilePath}' -BatchContext '{BatchContext}' -Password '{Password}'. Please refer https://docs.microsoft.com/en-us/powershell/module/azurerm.batch/New-AzureBatchCertificate?view=azurermps-3.8.0", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_Batch_DP_Rotate_Access_Keys", "Description": "Batch account access keys must be rotated periodically", "Id": "Batch140", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks.", "Recommendation": "Rotate Batch account access keys at regular intervals as per business requirement. Run command New-AzureRmBatchAccountKey -AccountName '{AccountName}' -KeyType '{KeyType}' -ResourceGroupName '{ResourceGroupName}' Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.batch/new-azurermbatchaccountkey?view=azurermps-3.7.0", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_Batch_NetSec_Disable_RDP_Connection", "Description": "Remote desktop connection should be disabled on Batch account compute nodes", "Id": "Batch150", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Open RDP/remote management connections expose a VM/compute node to a high level of risk from internet-based attacks that attempt to brute force credentials to gain access to the machine.", "Recommendation": "Remote desktop connection should be disabled. Refer: https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-role-enable-remote-desktop-powershell", "Tags": [ "SDL", "Best Practice", "Manual", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_Batch_BCDR_Persist_Output_To_Storage", "Description": "Batch account tasks and jobs should be configured to persist output to Azure Blob Storage", "Id": "Batch160", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "", "Recommendation": "Use Azure blob storage to persist Batch account tasks and jobs. Refer: https://docs.microsoft.com/en-us/azure/batch/batch-task-output", "Tags": [ "SDL", "Best Practice", "Manual", "BCDR" ], "Enabled": true }, { "ControlID": "Azure_Batch_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days", "Id": "Batch170", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "Run command Set-AzureRmDiagnosticSetting -ResourceId {'ResourceId'} -Enable `$true -StorageAccountId '{StorageAccountId}' -RetentionInDays 365 -RetentionEnabled `$true Refer: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-azure-key-vault", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics" ], "Enabled": true }, { "ControlID": "Azure_Batch_Audit_Enable_Metric_Alert", "Description": "Metric alert rules must be configured on Batch account", "Id": "Batch180", "ControlSeverity": "Low", "Automated": "Yes", "MethodName": "CheckBatchMetricAlert", "Rationale": "Metric alerts should be enabled to get alerts for issues that impacts the performance of batch resource when a metric crosses a certain threshold.", "Recommendation": "Add or update a metric-based alert rule by using command Add-AzureRmMetricAlertRule -Location '{Location}'-MetricName 'PoolDeleteCompleteEvent' -Name '{alertName}' -Operator 'GreaterThan' -ResourceGroup '{ResourceGroupName}' -TargetResourceId '{TargetResourceId}' -Threshold 0 -TimeAggregationOperator 'Total' -WindowSize '01:00:00' -Actions '{Actions}'", "Tags": [ "SDL", "Best Practice", "Automated", "Audit" ], "Enabled": true } ] } |