module/ConfigurationProvider/ControlConfigurations/Services/DataFactory.json
|
{
"FeatureName": "DataFactory", "Reference": "aka.ms/azsktcp/datafactory", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_DataFactory_DP_Avoid_Plaintext_Secrets", "Description": "Data Factory must not have secrets/credentials present in plain text", "Id": "DataFactory10", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "DataFactoryAvoidPlaintextSecretsAsync", "DisplayName": "Data Factory must not have secrets/credentials present in plain text", "Category": "Credentials Access", "ControlRequirements": "Eliminating plain text credentials", "Rationale": "Keeping secrets/credentials such as DB connection strings, passwords, keys, etc. in plain text can lead to exposure at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "Find detected secrets/credentials using the information available in the UI, rotate those credentials and remove them. Use KeyVaults for storing secrets. (Store credentials in Azure Key Vault - Azure Data Factory | Microsoft Docs - https://docs.microsoft.com/en-us/azure/data-factory/store-credentials-in-key-vault; Use Azure Key Vault secrets in pipeline activities - Azure Data Factory | Microsoft Docs - https://docs.microsoft.com/en-us/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities). Use SecureString parameter types for parameters with credentials.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline", "Daily" ], "CustomTags": [ "Wave9", "TenantBaseline", "Prod", "CAIPreview", "EDPreview", "SMTPreview", "CAIWave1", "Secrets" ], "Enabled": true }, { "ControlID": "Azure_DataFactory_Audit_Enable_Diagnostic_Settings", "Description": "Enable Security Logging in Azure Data Factories", "Id": "DataFactory120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings.", "Enabled": true, "DisplayName": "Enable Security Logging in Azure Data Factories", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Tags": [ "Audit", "Baseline", "DataFactory", "Automated", "Diagnostics" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "90", "DiagnosticLogs": [ "ActivityRuns", "PipelineRuns", "TriggerRuns", "SandboxPipelineRuns", "SandboxActivityRuns", "SSISPackageEventMessages", "SSISPackageExecutableStatistics", "SSISPackageEventMessageContext", "SSISPackageExecutionComponentPhases", "SSISPackageExecutionDataStatistics", "SSISIntegrationRuntimeLogs", "AirflowTaskLogs", "AirflowWorkerLogs", "AirflowDagProcessingLogs", "AirflowSchedulerLogs", "AirflowWebLogs" ] }, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv12", "SN:DataFactory_Logging" ] } ] } |