Framework/Configurations/SVT/Services/DataFactoryV2.json

{
  "FeatureName": "DataFactoryV2",
  "Reference": "aka.ms/azsktcp/datafactoryv2",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_DataFactoryV2_AuthZ_Grant_Min_Access",
      "Description": "User accounts/roles connecting to data source must have minimum required permissions",
      "Id": "DataFactoryV2110",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Granting minimum access ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
      "Recommendation": "All user accounts/roles which are involved in Azure Data Factory must have minimum required access rights to data sources. (e.g. If the Data Factory is just reading data from the data source then the account employed must use just read-only access.)",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DataFactoryV2",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_DataFactoryV2_DP_KeyVault_for_LinkedSvc_Credentials",
      "Description": "All linked service credentials should be stored in Key Vault.",
      "Id": "DataFactoryV2120",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Keeping secrets such as DB connection strings, passwords, keys, etc., in clear text can lead to easy compromise at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/data-factory/store-credentials-in-key-vault",
      "Tags": [
        "SDL",
        "TCP",
        "DP",
        "DataFactoryV2",
        "Manual"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_DataFactoryV2_AuthN_Use_Service_Identity",
      "Description": "Data factory must use a service identity for authenticating to supported linked services.",
      "Id": "DataFactoryV2130",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Using a service identity for authentication ensures that there is a built-in high level of assurance for subsequent access control.",
      "Recommendation": "If the data factory was created through Azure SDK or REST API and does not have a service identity then run command: Set-AzureRmDataFactoryV2 -ResourceGroupName <resourceGroupName> -Name <dataFactoryName> -Location <region>",
      "Tags": [
        "SDL",
        "Best Practice",
        "DP",
        "DataFactoryV2",
        "Manual"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_DataFactoryV2_DP_Configure_Secure_Output",
      "Description": "Configure activity output as 'Secure Output' if the activity emits sensitive data.",
      "Id": "DataFactoryV2140",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Configuring activity output as 'Secure Output' prevents it from getting logged to monitoring.",
      "Recommendation": "To enable secure output, please follow these steps - (a) Logon to https://portal.azure.com/ (b) Navigate to 'Data factories' (c) Navigate to the data factory you want to modify (d) Click on the 'Author and Monitor'. This will launch the data factory portal (e) Select the appropriate activity under the pipeline you want to modify (f) Go to 'General' tab and select the checkbox 'Secure Output' (g) Publish the pipeline.",
      "Tags": [
        "SDL",
        "Best Practice",
        "DP",
        "DataFactoryV2",
        "Manual"
      ],
      "Enabled": true
    }
 
 
  ]
}