"FeatureName": "HDInsight", "Reference": "", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_HDInsight_Deploy_Supported_Cluster_Version", "Description": "HDInsight must have supported HDI cluster version", "Id": "HDInsight110", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Being on the latest/supported HDInsight version significantly reduces risks from security bugs or updates that may be present in older or retired cluster versions.", "Recommendation": "Refer:", "Tags": [ "SDL", "TCP", "Manual", "SI", "HDInsight" ], "Enabled": true }, { "ControlID": "Azure_HDInsight_AuthN_Use_SSH_Keys_For_Login", "Description": "Use Public-Private key pair together with a passcode for SSH login", "Id": "HDInsight120", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Public-Private key pair help to protect against password guessing and brute force attacks", "Recommendation": "Refer:", "Tags": [ "SDL", "TCP", "Manual", "SI", "HDInsight" ], "Enabled": true }, { "ControlID": "Azure_HDInsight_AuthZ_Restrict_Cluster_Network_Access", "Description": "HDInsight cluster access must be restricted using virtual network or Azure VPN gateway service with NSG traffic rules", "Id": "HDInsight130", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Restricting cluster access with inbound and outbound traffic via NSGs limits the network exposure for cluster and reduces the attack surface.", "Recommendation": "You should restrict IP range and port as per application needs. Refer:", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "HDInsight" ], "Enabled": true }, { "ControlID": "Azure_HDInsight_DP_Storage_Encrypt_In_Transit", "Description": "Secure transfer protocol must be used for accessing storage account resources", "Id": "HDInsight140", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Use of secure transfer ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks. When enabling HTTPS one must remember to simultaneously disable access over plain HTTP else data can still be subject to compromise over clear text connections.", "Recommendation": "", "Tags": [ "SDL", "TCP", "Manual", "DP", "HDInsight" ], "Enabled": true }, { "ControlID": "Azure_HDInsight_DP_Storage_Encrypt_At_Rest", "Description": "Storage used for cluster must have encryption at rest enabled", "Id": "HDInsight150", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements.", "Recommendation": "", "Tags": [ "SDL", "TCP", "Manual", "DP", "HDInsight" ], "Enabled": true }, { "ControlID": "Azure_HDInsight_DP_Dont_Store_Data_On_Cluster_Nodes", "Description": "Sensitive data must be stored on storage linked to cluster and not on cluster node disks", "Id": "HDInsight160", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Cluster node restart may cause loss of data present on cluster nodes. Also currently HDInsight does not support encryption at rest for cluster node disk.", "Recommendation": "All data must be stored on storage linked with HDInsight cluster", "Tags": [ "SDL", "TCP", "Manual", "DP", "HDInsight" ], "Enabled": true }, { "ControlID": "Azure_HDInsight_AuthZ_Restrict_Network_Access_To_Cluster_Storage", "Description": "Access to cluster's storage must be restricted to virtual network of the cluster", "Id": "HDInsight170", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Restricting storage access within cluster network boundary reduces the attack surface.", "Recommendation": "Refer:", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "HDInsight" ], "Enabled": true }, { "ControlID": "Azure_HDInsight_AuthZ_Grant_Min_RBAC_Access_For_Cluster_Operations", "Description": "All users/identities must be granted minimum required cluster operation permissions using Ambari Role Based Access Control (RBAC)", "Id": "HDInsight180", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Refer:", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "RBAC", "HDInsight" ], "Enabled": true }, { "ControlID": "Azure_HDInsight_AuthZ_Restrict_Access_To_Ambari_Views", "Description": "Only required users/identities must be granted access to Ambari views", "Id": "HDInsight190", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Granting access to only required users to Ambari views ensures minimum exposure of underline data resources.", "Recommendation": "Refer:", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "RBAC", "HDinsight" ], "Enabled": true }, { "ControlID": "Azure_AppService_DP_Rotate_Admin_Password", "Description": "Ambari admin password must be renewed after a regular interval", "Id": "HDInsight111", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Refer:", "Tags": [ "SDL", "TCP", "Manual", "DP", "HDinsight" ], "Enabled": true, "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks." }, { "ControlID": "Azure_HDInsight_Audit_Use_Diagnostics_Log", "Description": "Diagnostics must be enabled for cluster operations", "Id": "HDInsight122", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Diagnostics logs are needed for creating activity trail while investigating an incident or a compromise.", "Recommendation": "Refer:", "Tags": [ "SDL", "TCP", "Manual", "Audit", "HDInsight" ], "Enabled": true } ] } |