Framework/Configurations/SVT/Services/Batch.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
{
    "FeatureName": "Batch",
    "Reference": "aka.ms/azsktcp/batch",
    "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_Batch_AuthZ_Grant_Min_RBAC_Access",
      "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
      "Id": "Batch110",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRBACAccess",
      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
      "Recommendation": "Remove any excessive privileges granted on the Batch service. Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help. Refer: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Batch_DP_Encrypt_Linked_Storage",
      "Description": "Storage Account, linked with Batch account, must be protected using Storage Service Encryption (SSE)",
      "Id": "Batch120",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements.",
      "Recommendation": "Default behavior. No action required.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "Information",
        "DP"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Batch_DP_Protect_Secrets_On_Compute_Nodes",
      "Description": "Secrets associated with tasks must be protected on Batch service compute nodes",
      "Id": "Batch130",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Encrypting the sensitive data like secrets/keys minimizes the exposure until runtime. Using the uploaded certificates, compute nodes can decrypt the secrets as needed at runtime.",
      "Recommendation": "Certificates need to be installed on the compute nodes used by Batch in order to protect sensitive information. Run command New-AzureBatchCertificate -FilePath '{FilePath}' -BatchContext '{BatchContext}' -Password '{Password}'. Note: Password value should be a secure string variable. Please refer https://docs.microsoft.com/en-us/azure/batch/batch-api-basics#security-with-certificates",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Batch_DP_Rotate_Access_Keys",
      "Description": "Batch account access keys must be rotated periodically",
      "Id": "Batch140",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks.",
      "Recommendation": "Rotate Batch account access keys at regular intervals as per business requirement. Run command New-AzureRmBatchAccountKey -AccountName '{AccountName}' -KeyType '{KeyType}' -ResourceGroupName '{ResourceGroupName}' Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.batch/new-azurermbatchaccountkey",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Batch_NetSec_Disable_RDP_Connection",
      "Description": "Remote desktop connection should be disabled on Batch account compute nodes",
      "Id": "Batch150",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Open RDP/remote management connections expose a VM/compute node to a high level of risk from internet-based attacks that attempt to brute force credentials to gain access to the machine.",
      "Recommendation": "Remote desktop connection should be disabled. Refer: https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-role-enable-remote-desktop-powershell",
      "Tags": [
        "SDL",
        "Best Practice",
        "Manual",
        "NetSec"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Batch_BCDR_Persist_Output_To_Storage",
      "Description": "Batch account tasks and jobs should be configured to persist output to Azure Blob Storage",
      "Id": "Batch160",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Batch service works on the compute nodes. It is good to persist the data into SSE enabled storage account. Otherwise, on the crash of compute node, would result in the data loss.",
      "Recommendation": "Use Azure blob storage to persist Batch account tasks and jobs. Refer: https://docs.microsoft.com/en-us/azure/batch/batch-task-output",
      "Tags": [
        "SDL",
        "Best Practice",
        "Manual",
        "BCDR"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Batch_Audit_Enable_Diagnostics_Log",
      "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days",
      "Id": "Batch170",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckDiagnosticsSettings",
      "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.",
      "Recommendation": "Run command: Set-AzureRmDiagnosticSetting -ResourceId {'ResourceId'} -Enable `$true -StorageAccountId '{StorageAccountId}' -RetentionInDays $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) -RetentionEnabled `$true",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "Audit",
        "Diagnostics"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Batch_Audit_Enable_Metric_Alert",
      "Description": "Metric alert rules must be configured on Batch account",
      "Id": "Batch180",
      "ControlSeverity": "Low",
      "Automated": "Yes",
      "MethodName": "CheckBatchMetricAlert",
      "Rationale": "Metric alerts should be enabled to get alerts for issues that impacts the performance of batch resource when a metric crosses a certain threshold.",
      "Recommendation": "Add or update a metric-based alert rule by using command Add-AzureRmMetricAlertRule -Location '{Location}'-MetricName 'PoolDeleteCompleteEvent' -Name '{alertName}' -Operator 'GreaterThan' -ResourceGroup '{ResourceGroupName}' -TargetResourceId '{TargetResourceId}' -Threshold 0 -TimeAggregationOperator 'Total' -WindowSize '01:00:00' -Action '{Comma-separated list of actions}'",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "Audit"
      ],
      "Enabled": true
    }
  ]
}