rules/findings/azure/databases/data_factory/azure-datafactory-lack-keyvault.json
|
{
"args": [], "provider": "Azure", "serviceType": "Data Factory", "serviceName": "Databases", "displayName": "Ensure that Data Factory is using Azure Key Vault to store credentials and secrets", "description": "Azure Key Vault is a way to securely store secrets and keys, and create role based access control permissions to services and users to access them.", "rationale": "Use of Azure Key Vault is greatly recommended over less secure options like hard coding credentials into code.", "impact": "This will create technical overhead as your organization will need to manage the lifecycle, expiration, and rotation of secrets and keys to fit your security baseline.", "remediation": { "text": " ###### Remediate from Azure Portal Retrieve Managed Identity Object ID 1. From Azure Data Factories select a factory to link to an Azure Key Vault. 2. In the left column, expand > Settings and select Properties. 3. Select Managed Identity Object ID and save this code for later. Set Permissions for Key Vault Note this presumes the use of RBAC Access control, not Access policies. 1. From Key vaults select a key vault to grant access to. 2. Select + Add, and select Add role assignment from the dropdown. 3. For the Role, search for key vault. Listed are various permissions to be assigned. Determine your organization's permission need, but Key Vault Reader is satisfactory for basic key and secrets access. 4. Select Next 5. In the new screen, next to Assign access to, select Managed identity. 6. Next to Members select + Select members. 7. Choose your subscription, and either under Managed identity scroll to Data Factory and select it, or search by your Data Factory's name. 8. Select your Data Factory. 9. Choose Select. 10. Select Review + assign. Create Connection Between Key Vault and Data Factory 1. From Data Factories select your data factory. 2. Under the Overview selection scroll down in the right pane and select Launch studio under Azure Data Factory Studio. 3. In the left column select the briefcase and wrench for Manage. 4. In the left column select Linked Services under Connections. 5. Select + New. 6. Search for Azure Key Vault and select it. 7. In the new window, name your connection and enter a desired description. 8. Under Azure key vault selection method, choose From Azure Subscription. 9. Select your Azure Subscription. 10. Select your key vault by name. 11. Under Authentication Method select System-assigned managed identity or User-assigned managed identity depending on what managed identity is in use on your data factory. 12. Select Create. ", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/azure/data-factory/store-credentials-in-key-vault", "https://learn.microsoft.com/en-us/azure/data-factory/data-factory-service-identity#retrieve-managed-identity" ], "compliance": [ { "name": "CIS Microsoft Azure Database Services", "version": "2.0.0", "reference": "4.3", "profile": [ "Level 2" ] } ], "level": "", "tags": [], "rule": { "path": "", "subPath": null, "selectCondition": {}, "query": [ ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": {}, "expandObject": null }, "table": "Normal", "decorate": [], "emphasis": [], "actions": { "objectData": { "properties": [], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": {}, "expandObject": null }, "status": { "keyName": [], "message": "", "defaultMessage": null }, "properties": { "resourceName": null, "resourceId": null, "resourceType": null }, "onlyStatus": false } }, "idSuffix": "", "notes": [], "categories": [], "immutable_properties": [], "id": "azure_data_factory_003" } |