module/ConfigurationProvider/ControlConfigurations/Services/SynapseWorkspace.json
|
{
"FeatureName": "SynapseWorkspace", "Reference": "", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_SynapseWorkspace_AuthZ_Use_AAD_Only_MCSB", "Description": "[MCSB] Synapse Workspaces should only have AAD based authentication enabled", "Id": "SynapseWorkspace110", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Synapse Workspaces should only have AAD based authentication enabled", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Azure AD authentication is used to centrally manage user identities that have access to Azure Synapse to simplify permission management. Enforcing AAD Only Authentication prevents the proliferation of user identities across data lakes.", "Recommendation": "To enable Azure AD based only authentication in Synapse Workspace please refer: https://learn.microsoft.com/en-us/azure/synapse-analytics/sql/active-directory-authentication#disable-local-authentication.", "Tags": [ "Automated", "AuthZ", "Baseline", "SynapseWorkspace" ], "AssessmentProperties": { "AssessmentNames": [ "3320d1ac-0ebe-41ab-b96c-96fb91214c5c" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_SynapseWorkspace_AuthZ_Use_AAD_Only_KR51", "Description": "[KR51] Synapse Workspaces must only have AAD based authentication enabled.", "Id": "SynapseWorkspace120", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] Synapse Workspaces must only have AAD based authentication enabled.", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Azure AD authentication is used to centrally manage user identities that have access to Azure Synapse to simplify permission management. Enforcing AAD Only Authentication prevents the proliferation of user identities across data lakes.", "Recommendation": "To enable Azure AD based only authentication in Synapse Workspace please refer: https://learn.microsoft.com/en-us/azure/synapse-analytics/sql/active-directory-authentication#disable-local-authentication.", "Tags": [ "Baseline", "Automated", "SynapseWorkspace", "AuthZ" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ { "EffectType": "Deny", "DefinitionType": "Definition", "DisplayName": "Azure Synapse Workspace authentication mode should be Azure Active Directory Only", "Description": "Azure Active Directory (AAD) only authentication methods improves security by ensuring that Synapse Workspaces exclusively require AAD identities for authentication. Learn more at: https://aka.ms/Synapse.", "Id": "/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8" } ] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] }, { "ControlID": "Azure_SynapseWorkspace_AuthN_SQL_Pools_Use_Microsoft_Entra_ID_Only", "Description": "Synapse workspace SQL pools must have only Microsoft Entra ID based authentication enabled", "Id": "SynapseWorkspace130", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDCorReader", "MethodName": "CheckSynapseWorkspaceSQLAADOnlyAuth", "DisplayName": "Synapse workspace SQL pools must have only Microsoft Entra ID based authentication enabled", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "The built in SQL pool of the Synapse workspace creates an admin login and password by default, but it can be restricted to AAD auth only. This is helpful to mitigate any brute force attacks or misconfigs across environments that can compromise the password and get access to the SQL pool.", "Recommendation": "1. Navigate to the Synapse resource in Azure Portal. 2. Go to 'Microsoft Entra ID' under the settings tab. 3. Check the property 'Support only Microsoft Entra ID authentication for this workspace'. Make sure an Microsoft Entra admin is set. Refer to: https://learn.microsoft.com/en-us/azure/synapse-analytics/sql/active-directory-authentication#disable-local-authentication", "Tags": [ "Automated", "AuthN", "Baseline", "SynapseWorkspace" ], "AssessmentProperties": { "AssessmentNames": [ "3320d1ac-0ebe-41ab-b96c-96fb91214c5c" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)OffByPolicy|Exempt(.)", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": true, "CustomTags": [ "Daily", "TBv11", "TenantBaseline", "MSD", "EDPreview", "SMTPreview", "SN:Synapse_MicrosoftEntraID_AuthOnly" ] }, { "ControlID": "Azure_SynapseWorkspace_Audit_Enable_Diagnostics_Log", "Description": "Diagnostic settings must be enabled for Azure Synapse workspace", "Id": "SynapseWorkspace140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "DisplayName": "Diagnostic settings must be enabled for Synapse workspace", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Diagnostic logs are needed for creating activity trail while investigating an incident or a compromise.", "Recommendation": "You can create or update the diagnostic settings from the Azure Portal by following the steps given here: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal#create-diagnostic-settings..", "Tags": [ "SDL", "Automated", "Baseline", "SynapseWorkspace", "Audit", "Diagnostics" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "90", "DiagnosticLogs": [ "SynapseRbacOperations", "GatewayApiRequests", "SQLSecurityAuditEvents", "BuiltinSqlReqsEnded", "IntegrationPipelineRuns", "IntegrationActivityRuns", "IntegrationTriggerRuns", "SynapseLinkEvent" ] }, "Enabled": true, "CustomTags": [ "Daily", "TBv11", "TenantBaseline", "MSD", "CAIPreview", "EDPreview", "SMTPreview", "SN:Synapse_Diagnostics" ] }, { "ControlID": "Azure_Synapse_NetSec_Dont_Allow_Universal_IP_Range", "Description": "Do not use Any-to-Any IP range for Azure Synapse Workspace", "Id": "SynapseWorkspace150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSynapseWorkspaceFirewallIpRange", "DisplayName": "Do not use Any-to-Any IP range for Azure Synapse Workspace", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. For effective usage, allow only the required IPs. Allowing larger ranges like 0.0.0.0/0, 0.0.0.0/1, 128.0.0.0/1, etc. will defeat the purpose.", "Recommendation": "To remediate, Unmanaged Synapse Workspace remove Any to Any firewall IP address. Go to Azure Portal --> your Synapse Workspace --> Settings --> Networking --> Firewall rules --> Select Any to Any firewall rule (allowAll rule) --> Delete --> Save. For accessing Unmanaged Synapse Workspace add individual firewall IP address. And to remediate, Managed Synapse Workspace disable public network access. Go to Azure Portal --> your Synapse Workspace --> Settings --> Networking --> Public network access to workspace endpoints --> Disabled --> Save. For accessing Managed Synapse Workspace, configure private endpoint connection. To configure private endpoint connection refer: https://learn.microsoft.com/en-us/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. And for connecting Azure Synapse Studio using Azure Private Link Hub refer: https://learn.microsoft.com/en-us/azure/synapse-analytics/security/synapse-private-link-hubs", "Tags": [ "Automated", "NetSec", "Baseline", "SynapseWorkspace" ], "ControlSettings": { "IPRangeStartIP": "0.0.0.0", "IPRangeEndIP": "255.255.255.255" }, "ControlEvaluationDetails": { "RequiredProperties": [ "PublicNetworkAccess", "FirewallRules" ] }, "Enabled": true, "CustomTags": [ "Weekly", "TBv11", "SN:Synapse_DisablePublicAccess" ] } ] } |