module/ConfigurationProvider/ControlConfigurations/Services/HDInsight.json
|
{
"FeatureName": "HDInsight", "Reference": "aka.ms/azsktcp/hdinsight", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_HDInsight_Deploy_Supported_Cluster_Version", "Description": "HDInsight must have supported HDI cluster version", "Id": "HDInsight110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckClusterVersion", "DisplayName": "HDInsight must have supported HDI cluster version", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Being on the latest/supported HDInsight version significantly reduces risks from security bugs or updates that may be present in older or retired cluster versions.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-component-versioning?#supported-hdinsight-versions https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-upgrade-cluster", "Tags": [ "SDL", "TCP", "Manual", "SI", "HDInsight", "Baseline", "Weekly", "CSEOPilotP1", "CSEOPilotSub" ], "Enabled": true, "ControlSettings": { "MinRequiredClusterVersion": "3.6.0" }, "CustomTags": [ "CSEOBaseline", "CSEOPilot", "EligibleForSelfAttestation" ] }, { "ControlID": "Azure_HDInsight_NetSec_Restrict_Cluster_Network_Access", "DisplayName": "HDInsight cluster access must be restricted using virtual network or Azure VPN gateway service with NSG traffic rules", "Description": "HDInsight cluster access must be restricted using virtual network or Azure VPN gateway service with NSG traffic rules", "Id": "HDInsight130", "ControlSeverity": "High", "Automated": "Yes", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "MethodName": "CheckClusterNetworkProfile", "Rationale": "Restricting cluster access with inbound and outbound traffic via NSGs limits the network exposure for cluster and reduces the attack surface.", "Recommendation": "You should restrict IP range and port as per application needs. Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-extend-hadoop-virtual-network. Note: In case the IP range is indeterminate (for instance, if the client is a PaaS endpoint), you may need to attest this control.", "ControlEvaluationDetails": { "RequiredProperties": [ "ComputeProfile" ] }, "Tags": [ "Baseline", "Weekly", "SDL", "TCP", "NetSec", "HDInsight" ], "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_HDInsight_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for HDInsight cluster", "Id": "HDInsight144", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckClusterTLSVersion", "DisplayName": "Use approved version of TLS for HDInsight cluster", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides confidentiality and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "The TLS setting can only be configured during cluster creation using either the Azure portal, or a Resource Manager template. Refer: https://docs.microsoft.com/en-us/azure/hdinsight/transport-layer-security", "Tags": [ "SDL", "TCP", "DP", "Automated", "HDInsight", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [], "ControlSettings": { "MinReqTLSVersion": "1.2" } } ] } |