Framework/Configurations/SVT/Services/DataLakeStore.json
|
{
"FeatureName": "DataLakeStore", "Reference": "aka.ms/azsdkosstcp/adls", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_DataLakeStore_AuthN_AAD_For_Client_AuthN", "Description": "All users/applications are authenticated using Azure Active Directory (AAD) based credentials", "Id": "DataLakeStore110", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "No action required. ADLS supports only AAD authentication.", "Tags": [ "SDL", "Information", "Manual", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_AuthZ_Grant_Min_RBAC_Access", "Description": "All Users/Identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "DataLakeStore120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "Assign 'Owner' role to Data Lake Store creator at resource group scope. Refer:- https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_AuthZ_Assign_ACLs_On_FileSystem", "Description": "Access to Data Lake Store file system must be limited by using appropriate Access Control List (ACL). 'Other' must not have any ACL access", "Id": "DataLakeStore130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckACLAccess", "Recommendation": "Use PowerShell command Set-AzureRmDataLakeStoreItemAcl [-Account] <String> [-Path] <DataLakeStorePathInstance> [-Acl] <DataLakeStoreItemAcl>. Refer :- https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-secure-data#a-namefilepermissionsaassign-users-or-security-group-as-acls-to-the-azure-data-lake-store-file-system", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_AuthZ_Enable_Firewall", "Description": "Firewall must be enabled on Data Lake Store", "Id": "DataLakeStore140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckFirewall", "Recommendation": "Enable firewall and add rules (Don't add IP range $($this.ControlSettings.UniversalIPRange)). Refer:- https://docs.microsoft.com/en-us/powershell/module/azurerm.datalakestore/add-azurermdatalakestorefirewallrule", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_DP_Use_AdlCopy_Securely", "Description": "AdlCopy tool must be used securly while copying data from storage blobs to Data Lake Store", "Id": "DataLakeStore150", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Use HTTPS URL for blob storage endpoint.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_DP_Use_DataFactory_Securely", "Description": "Data Factory must be used securely while moving data from/to Data Lake Store", "Id": "DataLakeStore160", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Use service principal authentication in ADF linked service. Refer :- https://docs.microsoft.com/en-us/azure/data-factory/data-factory-azure-datalake-connector#linked-service-properties", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_AuthZ_Use_SP_For_ADLS_Access", "Description": "Service principal identity should be used by client apps (Web jobs, .NET clients etc.) to access Data Lake Store", "Id": "DataLakeStore170", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Assign ACL(Access Control List) to service principal and use this SP to access ADLS. Refer:- https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-secure-data#a-namefilepermissionsaassign-users-or-security-group-as-acls-to-the-azure-data-lake-store-file-system", "Tags": [ "SDL", "Best Practice", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_DP_Encrypt_At_Rest", "Description": "Sensitive data must be encrypted at rest ", "Id": "DataLakeStore180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckEncryptionAtRest", "Recommendation": "Enable encryption while creating Data Lake Store. Refer :- https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-security-overview#data-protection", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_DP_Encrypt_In_Transit", "Description": "Sensitive data in transit must be encrypted", "Id": "DataLakeStore190", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "No action required. ADLS provides encryption in transit using HTTPS transport layer security.", "Tags": [ "SDL", "Information", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.", "Id": "DataLakeStore200", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Recommendation": "Enable 'Audit' and 'Requests' logs with retention days $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) or $($this.ControlSettings.Diagnostics_RetentionPeriod_Forever)(forever).", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_Audit_Review_Logs", "Description": "Diagnostic logs for Data Lake Store should be reviewed periodically", "Id": "DataLakeStore210", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Review diagnostic/activity logs to check activities of resource. Refer:- https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-diagnostic-logs and https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs", "Tags": [ "SDL", "Best Practice", "Manual", "Audit" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_BCDR_Plan", "Description": "Backup and Disaster Recovery must be planned for Data Lake Store", "Id": "DataLakeStore220", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "", "Tags": [ "SDL", "TCP", "Manual", "BCDR" ], "Enabled": true }, { "ControlID": "Azure_DataLakeStore_Config_Cleanup_Data", "Description": "Data in Data Lake Store should be cleaned up using file retention", "Id": "DataLakeStore230", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Set expiry date by navigating to file in ADLS data explorer and set 'Set Expiry' property or use PS Command Set-AzureRmDataLakeStoreItemExpiry [-Account] <String> [-Path] <DataLakeStorePathInstance> [[-Expiration] <DateTimeOffset>]", "Tags": [ "SDL", "Best Practice", "Manual", "Config" ], "Enabled": true } ] } |