Framework/Configurations/SVT/Services/DataFactory.json
|
{
"FeatureName": "DataFactory", "Reference": "aka.ms/azsdkosstcp/adf", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_DataFactory_DP_LinkSvc_Encrypt_In_Transit", "Description": "Linked Service must use encryption in transit", "Id": "DataFactory110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckDataFactoryLinkedService", "Recommendation": "Linked Services used to transfer data between a data source and Azure Data Factory must use encrypted channels to transmit the data. (e.g., for an Azure Storage account the HTTPS endpoint must be specified in the service JSON and, similarly, for SQL Server the JSON must have Encrypt=True in the connection string, etc.). ", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "Azure_DataFactory_AuthZ_Grant_Min_Access", "Description": "User accounts/roles connecting to data source must have minimum required permissions", "Id": "DataFactory120", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "All user accounts/roles which are involved in Azure Data Factory must have minimum required access rights to data sources. (e.g. If the Data Factory is just reading data from the data source then the account employed must use just read-only access.)", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_DataFactory_Config_Lockdown_DMG_Server", "Description": "Data Management Gateway (DMG), if used, must be installed on a locked down machine", "Id": "DataFactory130", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Use Windows Server lockdown templates to minimize the attack surface available. For the most critical scenarios, consider using Code Integrity feature as well.", "Tags": [ "SDL", "TCP", "Manual", "Config" ], "Enabled": true }, { "ControlID": "Azure_DataFactory_Deploy_Register_DMG_Securely", "Description": "Data Management Gateway (DMG), if used, must be registered in secure way", "Id": "DataFactory140", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Use a PowerShell-based approach to register the tool instead of manually handling the key to minimize operational risk. Refer: https://docs.microsoft.com/en-us/azure/data-factory/data-factory-data-management-gateway#powershell-cmdlets", "Tags": [ "SDL", "TCP", "Manual", "Deploy" ], "Enabled": true }, { "ControlID": "Azure_DataFactory_DP_Rotate_Gateway_Key", "Description": "Data Gateway key (on Azure Portal) must be rotated periodically", "Id": "DataFactory150", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Rotate the Data Gateway key every six months or whenever the DMG service account password is renewed in order to reduce risk from brute force key-guessing attacks.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_DataFactory_AuthZ_Use_Svc_Acct_for_DMG", "Description": "Linked Service must be setup using a service account when Data Management Gateway is used ", "Id": "DataFactory160", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Configuration of Linked Service involves credentials (username, password etc.) for the target data source. The service account used to run the DMG may be granted access to the target data source. This can let us leverage integrated authentication and do away with the need to store credentials.", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_DataFactory_Audit_Enable_Logging_and_Monitoring", "Description": "Monitoring must be enabled for Azure Data Factory", "Id": "DataFactory180", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/data-factory/data-factory-monitor-manage-app", "Tags": [ "SDL", "TCP", "Manual", "Audit" ], "Enabled": true } ] } |