Framework/Configurations/SVT/Services/HDInsight.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
{
  "FeatureName": "HDInsight",
  "Reference": "aka.ms/azsktcp/hdinsight",
  "IsMaintenanceMode": false,
   "Controls": [
      {
         "ControlID": "Azure_HDInsight_Deploy_Supported_Cluster_Version",
         "Description": "HDInsight must have supported HDI cluster version",
         "Id": "HDInsight110",
         "ControlSeverity": "High",
         "Automated": "Yes",
         "MethodName": "CheckClusterVersion",
         "Rationale": "Being on the latest/supported HDInsight version significantly reduces risks from security bugs or updates that may be present in older or retired cluster versions.",
         "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-component-versioning?#supported-hdinsight-versions https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-upgrade-cluster",
         "Tags": [
            "SDL",
            "TCP",
            "Manual",
            "SI",
            "HDInsight"
         ],
         "Enabled": true
      },
      {
        "ControlID": "Azure_HDInsight_AuthN_Use_SSH_Keys_For_Login",
        "Description": "Use Public-Private key pair together with a passcode for SSH login",
        "Id": "HDInsight120",
        "ControlSeverity": "High",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Public-Private key pair help to protect against password guessing and brute force attacks",
        "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-linux-use-ssh-unix",
        "Tags": [
           "SDL",
           "TCP",
           "Manual",
           "SI",
           "HDInsight"
        ],
        "Enabled": true
     },
     {
        "ControlID": "Azure_HDInsight_AuthZ_Restrict_Cluster_Network_Access",
        "Description": "HDInsight cluster access must be restricted using virtual network or Azure VPN gateway service with NSG traffic rules",
        "Id": "HDInsight130",
        "ControlSeverity": "High",
        "Automated": "Yes",
        "MethodName": "CheckClusterNetworkProfile",
        "Rationale": "Restricting cluster access with inbound and outbound traffic via NSGs limits the network exposure for cluster and reduces the attack surface.",
        "Recommendation": "You should restrict IP range and port as per application needs. Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-extend-hadoop-virtual-network. Note: In case the IP range is indeterminate (for instance, if the client is a PaaS endpoint), you may need to attest this control.",
        "Tags": [
          "SDL",
          "TCP",
          "Manual",
          "AuthZ",
          "HDInsight"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_HDInsight_DP_Storage_Encrypt_In_Transit",
        "Description": "Secure transfer protocol must be used for accessing storage account resources",
        "Id": "HDInsight140",
        "ControlSeverity": "High",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Use of secure transfer ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks. When enabling HTTPS one must remember to simultaneously disable access over plain HTTP else data can still be subject to compromise over clear text connections.",
        "Recommendation": "https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-create-linux-clusters-with-secure-transfer-storage?toc=%2Fen-us%2Fazure%2Fhdinsight%2Fstorm%2FTOC.json&bc=%2Fen-us%2Fazure%2Fbread%2Ftoc.json",
        "Tags": [
           "SDL",
           "TCP",
           "Manual",
           "DP",
           "HDInsight"
        ],
        "Enabled": true
     },
     {
        "ControlID": "Azure_HDInsight_DP_Storage_Encrypt_At_Rest",
        "Description": "Storage used for cluster must have encryption at rest enabled",
        "Id": "HDInsight150",
        "ControlSeverity": "High",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements.",
        "Recommendation": "https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-create-linux-clusters-with-secure-transfer-storage?toc=%2Fen-us%2Fazure%2Fhdinsight%2Fstorm%2FTOC.json&bc=%2Fen-us%2Fazure%2Fbread%2Ftoc.json",
        "Tags": [
           "SDL",
           "TCP",
           "Manual",
           "DP",
           "HDInsight"
        ],
        "Enabled": true
     },
     {
        "ControlID": "Azure_HDInsight_DP_Dont_Store_Data_On_Cluster_Nodes",
        "Description": "Sensitive data must be stored on storage linked to cluster and not on cluster node disks",
        "Id": "HDInsight160",
        "ControlSeverity": "High",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Cluster node restart may cause loss of data present on cluster nodes. Also currently HDInsight does not support encryption at rest for cluster node disk.",
        "Recommendation": "All data must be stored on storage linked with HDInsight cluster",
        "Tags": [
           "SDL",
           "TCP",
           "Manual",
           "DP",
           "HDInsight"
        ],
        "Enabled": true
     },
     {
        "ControlID": "Azure_HDInsight_AuthZ_Restrict_Network_Access_To_Cluster_Storage",
        "Description": "Access to cluster's storage must be restricted to virtual network of the cluster",
        "Id": "HDInsight170",
        "ControlSeverity": "Medium",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Restricting storage access within cluster network boundary reduces the attack surface.",
        "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-linux-use-ssh-unix",
        "Tags": [
           "SDL",
           "TCP",
           "Manual",
           "AuthZ",
           "HDInsight"
        ],
        "Enabled": true
     },
      {
        "ControlID": "Azure_HDInsight_AuthZ_Grant_Min_RBAC_Access_For_Cluster_Operations",
        "Description": "All users/identities must be granted minimum required cluster operation permissions using Ambari Role Based Access Control (RBAC)",
        "Id": "HDInsight180",
        "ControlSeverity": "Medium",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
        "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-authorize-users-to-Ambari#assign-users-to-roles",
        "Tags": [
          "SDL",
          "TCP",
          "Manual",
          "AuthZ",
          "RBAC",
          "HDInsight"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_HDInsight_AuthZ_Restrict_Access_To_Ambari_Views",
        "Description": "Only required users/identities must be granted access to Ambari views",
        "Id": "HDInsight190",
        "ControlSeverity": "Medium",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Granting access to only required users to Ambari views ensures minimum exposure of underline data resources.",
        "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-authorize-users-to-Ambari#grant-permissions-to-hive-views",
        "Tags": [
          "SDL",
          "TCP",
          "Manual",
          "AuthZ",
          "RBAC",
          "HDinsight"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_HDInsight_DP_Rotate_Admin_Password",
        "Description": "Ambari admin password must be renewed after a regular interval",
        "Id": "HDInsight111",
        "ControlSeverity": "Medium",
        "Automated": "No",
        "MethodName": "",
        "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-administer-use-portal-linux#change-passwords",
        "Tags": [
          "SDL",
          "TCP",
          "Manual",
          "DP",
          "HDinsight"
        ],
        "Enabled": true,
        "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks."
      },
      {
        "ControlID": "Azure_HDInsight_Audit_Use_Diagnostics_Log",
        "Description": "Diagnostics must be enabled for cluster operations",
        "Id": "HDInsight122",
        "ControlSeverity": "Medium",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Diagnostics logs are needed for creating activity trail while investigating an incident or a compromise.",
        "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-linux-use-ssh-unix",
        "Tags": [
           "SDL",
           "TCP",
           "Manual",
           "Audit",
           "HDInsight"
        ],
        "Enabled": true
     },
     {
      "ControlID": "Azure_HDInsight_DP_No_PlainText_Secrets_In_Notebooks",
      "Description": "Secrets and keys must not be in plain text in notebooks and jobs",
      "Id": "HDInsight133",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Keeping secrets such as connection strings, passwords, keys, etc. in clear text can lead to easy compromise. Storing them in a secure place (like KeyVault) ensures that they are protected at rest.",
      "Recommendation": "Use a key vault backed secret scopes to store any secrets and keys and read them from the respective secret scopes in notebooks and jobs.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "Audit",
        "HDInsight"
      ],
      "Enabled": true
    }
    ]
}