Framework/Configurations/SVT/Services/Databricks.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
{
  "FeatureName": "Databricks",
  "Reference": "aka.ms/azsktcp/databricks",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_Databricks_DP_No_PlainText_Secrets_In_Notebooks",
      "Description": "Secrets and keys must not be in plain text in notebooks and jobs",
      "Id": "Databricks110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckSecretScope",
      "Rationale": "Keeping secrets such as connection strings, passwords, keys, etc. in clear text can lead to easy compromise. Storing them in a secert scope ensures that they are protected at rest.",
      "Recommendation": "Use a key vault backed Databricks secret scopes to store any secrets and keys and read them from the respective secret scopes in notebooks and jobs. Refer: https://docs.azuredatabricks.net/user-guide/secrets/index.html",
      "Tags": [
        "SDL",
        "TCP",
        "PAT",
        "DP",
        "Automated",
        "Admin",
        "Databricks",
        "Preview"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Databricks_DP_Use_KeyVault_Backed_Secret_Scope",
      "Description": "Use Azure Key Vault backed secret scope to hold secrets",
      "Id": "Databricks120",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckSecretScopeBackend",
      "Rationale": "Using Key Vault backed secret scopes leads to imroved protection and segregation of stored secrets.",
      "Recommendation": "To use Azure Key Vault backed secret scopes, refer: https://docs.azuredatabricks.net/user-guide/secrets/secret-scopes.html#create-an-azure-key-vault-backed-secret-scope",
      "Tags": [
        "SDL",
        "TCP",
        "DP",
        "Automated",
        "PAT",
        "Admin",
        "Databricks",
        "Preview"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Databricks_DP_Independent_KeyVault_Per_Scope",
      "Description": "Each secret scope should use an independent key vault",
      "Id": "Databricks130",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckKeyVaultReference",
      "Rationale": "Using a separate key vault for each secret scope leads to better segregation of access to secrets via use of scope level ACLs. If the same key vault is used for two different scopes then any person with access to either of them will be able to see keys and secrets in both. ",
      "Recommendation": "Analyze the separation of access needed in your solution and use different scopes backed by independent key vaults as necessary.",
      "Tags": [
        "SDL",
        "TCP",
        "DP",
        "Best Practice",
        "Automated",
        "PAT",
        "Admin",
        "Databricks",
        "Preview"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Databricks_DP_Minimal_Token_Validity",
      "Description": "Personal access tokens (PAT) must have a shortest possible validity period",
      "Id": "Databricks140",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckAccessTokenExpiry",
      "Rationale": "If a personal access token (PAT) gets compromised, the Databricks assets accessible to the user can be accessed/manipulated by unauthorized users. Minimizing the validity period of the PAT ensures that the window of time available to an attacker in the event of compromise is small.",
      "Recommendation": "While creating a PAT, provide the minimum practical expiration period. You can see all tokens genearted by you and their expiration periods by navigating to Databricks Workspace --> Profile --> User Settings --> Access Tokens",
      "Tags": [
        "SDL",
        "TCP",
        "PAT",
        "Automated",
        "DP",
        "Databricks",
        "Preview"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Databricks_AuthZ_Grant_Min_RBAC_Access",
      "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
      "Id": "Databricks150",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckRBACAccess",
      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user account compromise.",
      "Recommendation": "Remove any excessive privileges granted on the Databricks. Run command: Remove-AzRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' RoleDefinitionName '<RoleDefinitionName>'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "AuthZ",
        "RBAC",
        "Automated",
        "Databricks",
        "Preview"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Databricks_AuthZ_Limit_Admin_Count",
      "Description": "Minimize the number of workspace admins",
      "Id": "Databricks160",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckAdminAccess",
      "Rationale": "Databricks workspace admins have full access on the workspace to perform any operation. Each additional person in the admin role increases the attack surface for the workspace. The number of members in these roles should be kept to as low as possible.",
      "Recommendation": "Minimize the number of workspace admins. Navigate to Databricks workspace --> Account --> Admin Console --> Users --> Revoke admin access for users(who no longer requires admin access)",
      "Tags": [
        "SDL",
        "TCP",
        "AuthZ",
        "Automated",
        "Admin",
        "PAT",
        "Databricks",
        "Preview"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Databricks_AuthZ_Cluster_Grant_Min_RBAC_Access",
      "Description": "All users must be granted minimum required permissions on clusters",
      "Id": "Databricks170",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user account compromise.",
      "Recommendation": "Remove any excessive privileges granted to any user on clusters. Navigate to workspace --> clusters --> select cluster --> Edit --> Permissions, for details refer: https://docs.azuredatabricks.net/administration-guide/admin-settings/cluster-acl.html",
      "Tags": [
        "SDL",
        "TCP",
        "AuthZ",
        "RBAC",
        "Manual",
        "Databricks",
        "Preview"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Databricks_AuthZ_Enable_Workspace_Access_Control",
      "Description": "Workspace access control should be enabled",
      "Id": "Databricks180",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckWorkspaceAccessEnabled",
      "Rationale": "Enabling workspace access control allows an admin to manage fine-grained user permissions and ensures that users can perform only intended operations. This minimizes exposure of data in case of user account compromise.",
      "Recommendation": "To enable and configure workspace access control, refer: https://docs.azuredatabricks.net/administration-guide/admin-settings/workspace-acl.html",
      "Tags": [
        "SDL",
        "TCP",
        "AuthZ",
        "RBAC",
        "Automated",
        "Databricks",
        "Preview"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Databricks_AuthZ_Enable_Cluster_Access_Control",
      "Description": "Cluster access control should be enabled",
      "Id": "Databricks190",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckClusterAccessEnabled",
      "Rationale": "Enabling cluster access control allows admin to provide restricted access to user over cluster so that users can perform only intended operations. This minimizes exposure of data in case of user/service account compromise.",
      "Recommendation": "To enable and configure cluster access control, refer: https://docs.azuredatabricks.net/administration-guide/admin-settings/cluster-acl.html",
      "Tags": [
        "SDL",
        "TCP",
        "AuthZ",
        "RBAC",
        "Automated",
        "Databricks",
        "Preview"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Databricks_AuthZ_Enable_Job_Access_Control",
      "Description": "Job access control should be enabled",
      "Id": "Databricks200",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckJobAccessEnabled",
      "Rationale": "Enabling job access control ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of data in case of user/service account compromise.",
      "Recommendation": "To enable and configure job access control, refer: https://docs.azuredatabricks.net/administration-guide/admin-settings/jobs-acl.html",
      "Tags": [
        "SDL",
        "TCP",
        "AuthZ",
        "RBAC",
        "Automated",
        "Databricks",
        "Preview"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Databricks_DP_Review_Mounted_DataSources",
      "Description": "Do not mount any data sources that may not be required for all users in the workspace.",
      "Id": "Databricks210",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Mouting a data source gives all users within the workspace access to the data from the mount point. Thus, mounting sources with sensitive data onto DBFS can lead to unauthorized access.",
      "Recommendation": "Create a mount point only if all users in workspace need to have access to all data in the mounted data source. Use tables with ACLs if you want to impose segregation of access on imported data.",
      "Tags": [
        "SDL",
        "TCP",
        "DP",
        "Manual",
        "Databricks",
        "Preview"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Databricks_AuthZ_Prohibit_Guest_Account_Admin_Access",
      "Description": "Guest accounts within the AAD tenant should not be granted admin access",
      "Id": "Databricks220",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckGuestAdminAccess",
      "Rationale": "Databricks workspace admins have full access on the workspace to perform any operation. Each guest account in an admin role increases the attack surface for the workspace. Adding guest accounts as admin on workspace should be avoided.",
      "Recommendation": "Avoid granting access to guest accounts from the AAD tentant. Remove any such accounts that may have been granted access in the past. Navigate to Databricks workspace --> Account --> Admin Console --> Users --> Revoke admin access of guest users(who no longer requires admin access)",
      "Tags": [
        "SDL",
        "TCP",
        "AuthZ",
        "Admin",
        "Databricks",
        "PAT",
        "Preview"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_Databricks_NetSec_Justify_VNet_Peering",
      "Description": "Use of any virtual network peerings should be justified",
      "Id": "Databricks230",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckVnetPeering",
      "Rationale": "Resources in the peered virtual networks can communicate with each other directly. If the two peered networks are on different sides of a security boundary (e.g., corpnet v. private vNet), this can lead to exposure of corporate data. Hence any vNet peerings should be closely scrutinized and approved by the network security team",
      "Recommendation": "You can remove any virtual network peering by navigating to Azure portal --> Databricks --> Virtual Network Peerings --> select vNET peering --> Delete (unless their presence has been approved by network security team).",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "NetSec",
        "Databricks",
        "Preview"
      ],
      "Enabled": true
    }
  ]
}