Framework/Configurations/SVT/Services/HDInsight.json

{
  "FeatureName": "HDInsight",
  "Reference": "aka.ms/azsktcp/hdinsight",
  "IsMaintenanceMode": false,
   "Controls": [
      {
         "ControlID": "Azure_HDInsight_Deploy_Supported_Cluster_Version",
         "Description": "HDInsight must have supported HDI cluster version",
         "Id": "HDInsight110",
         "ControlSeverity": "High",
         "Automated": "Yes",
         "MethodName": "CheckClusterVersion",
         "Rationale": "Being on the latest/supported HDInsight version significantly reduces risks from security bugs or updates that may be present in older or retired cluster versions.",
         "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-component-versioning?#supported-hdinsight-versions https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-upgrade-cluster",
         "Tags": [
            "SDL",
            "TCP",
            "Manual",
            "SI",
            "HDInsight"
         ],
         "Enabled": true,
         "PolicyDefinitionGuid": "HDInsight110"
      },
      {
        "ControlID": "Azure_HDInsight_AuthN_Use_SSH_Keys_For_Login",
        "Description": "Use Public-Private key pair together with a passcode for SSH login",
        "Id": "HDInsight120",
        "ControlSeverity": "High",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Public-Private key pair help to protect against password guessing and brute force attacks",
        "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-linux-use-ssh-unix",
        "Tags": [
           "SDL",
           "TCP",
           "Manual",
           "SI",
           "HDInsight"
        ],
        "Enabled": true
     },
     {
        "ControlID": "Azure_HDInsight_AuthZ_Restrict_Cluster_Network_Access",
        "Description": "HDInsight cluster access must be restricted using virtual network or Azure VPN gateway service with NSG traffic rules",
        "Id": "HDInsight130",
        "ControlSeverity": "High",
        "Automated": "Yes",
        "MethodName": "CheckClusterNetworkProfile",
        "Rationale": "Restricting cluster access with inbound and outbound traffic via NSGs limits the network exposure for cluster and reduces the attack surface.",
        "Recommendation": "You should restrict IP range and port as per application needs. Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-extend-hadoop-virtual-network. Note: In case the IP range is indeterminate (for instance, if the client is a PaaS endpoint), you may need to attest this control.",
        "Tags": [
          "SDL",
          "TCP",
          "Manual",
          "AuthZ",
          "HDInsight",
          "NetSec"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_HDInsight_DP_Storage_Encrypt_In_Transit",
        "Description": "Secure transfer protocol must be used for accessing storage account resources",
        "Id": "HDInsight140",
        "ControlSeverity": "High",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Use of secure transfer ensures server/service authentication and protects data in transit from network layer man-in-the-middle, eavesdropping, session-hijacking attacks. When enabling HTTPS one must remember to simultaneously disable access over plain HTTP else data can still be subject to compromise over clear text connections.",
        "Recommendation": "https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-create-linux-clusters-with-secure-transfer-storage?toc=%2Fen-us%2Fazure%2Fhdinsight%2Fstorm%2FTOC.json&bc=%2Fen-us%2Fazure%2Fbread%2Ftoc.json",
        "Tags": [
           "SDL",
           "TCP",
           "Manual",
           "DP",
           "HDInsight"
        ],
        "Enabled": true
     },
     {
        "ControlID": "Azure_HDInsight_DP_Storage_Encrypt_At_Rest",
        "Description": "Storage used for cluster must have encryption at rest enabled",
        "Id": "HDInsight150",
        "ControlSeverity": "High",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements.",
        "Recommendation": "https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-create-linux-clusters-with-secure-transfer-storage?toc=%2Fen-us%2Fazure%2Fhdinsight%2Fstorm%2FTOC.json&bc=%2Fen-us%2Fazure%2Fbread%2Ftoc.json",
        "Tags": [
           "SDL",
           "TCP",
           "Manual",
           "DP",
           "HDInsight"
        ],
        "Enabled": true
     },
     {
        "ControlID": "Azure_HDInsight_DP_Dont_Store_Data_On_Cluster_Nodes",
        "Description": "Sensitive data must be stored on storage linked to cluster and not on cluster node disks",
        "Id": "HDInsight160",
        "ControlSeverity": "High",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Cluster node restart may cause loss of data present on cluster nodes. Also currently HDInsight does not support encryption at rest for cluster node disk.",
        "Recommendation": "All data must be stored on storage linked with HDInsight cluster",
        "Tags": [
           "SDL",
           "TCP",
           "Manual",
           "DP",
           "HDInsight"
        ],
        "Enabled": true
     },
     {
        "ControlID": "Azure_HDInsight_AuthZ_Restrict_Network_Access_To_Cluster_Storage",
        "Description": "Access to cluster's storage must be restricted to virtual network of the cluster",
        "Id": "HDInsight170",
        "ControlSeverity": "Medium",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Restricting storage access within cluster network boundary reduces the attack surface.",
        "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-linux-use-ssh-unix",
        "Tags": [
           "SDL",
           "TCP",
           "Manual",
           "AuthZ",
           "HDInsight",
           "NetSec"
        ],
        "Enabled": true
     },
      {
        "ControlID": "Azure_HDInsight_AuthZ_Grant_Min_RBAC_Access_For_Cluster_Operations",
        "Description": "All users/identities must be granted minimum required cluster operation permissions using Ambari Role Based Access Control (RBAC)",
        "Id": "HDInsight180",
        "ControlSeverity": "Medium",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
        "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-authorize-users-to-Ambari#assign-users-to-roles",
        "Tags": [
          "SDL",
          "TCP",
          "Manual",
          "AuthZ",
          "RBAC",
          "HDInsight"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_HDInsight_AuthZ_Restrict_Access_To_Ambari_Views",
        "Description": "Only required users/identities must be granted access to Ambari views",
        "Id": "HDInsight190",
        "ControlSeverity": "Medium",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Granting access to only required users to Ambari views ensures minimum exposure of underline data resources.",
        "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-authorize-users-to-Ambari#grant-permissions-to-hive-views",
        "Tags": [
          "SDL",
          "TCP",
          "Manual",
          "AuthZ",
          "RBAC",
          "HDinsight"
        ],
        "Enabled": true
      },
      {
        "ControlID": "Azure_HDInsight_DP_Rotate_Admin_Password",
        "Description": "Ambari admin password must be renewed after a regular interval",
        "Id": "HDInsight111",
        "ControlSeverity": "Medium",
        "Automated": "No",
        "MethodName": "",
        "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-administer-use-portal-linux#change-passwords",
        "Tags": [
          "SDL",
          "TCP",
          "Manual",
          "DP",
          "HDinsight"
        ],
        "Enabled": true,
        "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks."
      },
      {
        "ControlID": "Azure_HDInsight_Audit_Use_Diagnostics_Log",
        "Description": "Diagnostics must be enabled for cluster operations",
        "Id": "HDInsight122",
        "ControlSeverity": "Medium",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Diagnostics logs are needed for creating activity trail while investigating an incident or a compromise.",
        "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-linux-use-ssh-unix",
        "Tags": [
           "SDL",
           "TCP",
           "Manual",
           "Audit",
           "HDInsight"
        ],
        "Enabled": true
     },
     {
      "ControlID": "Azure_HDInsight_DP_No_PlainText_Secrets_In_Notebooks",
      "Description": "Secrets and keys must not be in plain text in notebooks and jobs",
      "Id": "HDInsight133",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Keeping secrets such as connection strings, passwords, keys, etc. in clear text can lead to easy compromise. Storing them in a secure place (like KeyVault) ensures that they are protected at rest.",
      "Recommendation": "Use a key vault backed secret scopes to store any secrets and keys and read them from the respective secret scopes in notebooks and jobs.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "Audit",
        "HDInsight"
      ],
      "Enabled": true
    }
    ]
}