H-plugin synapse workspace double encryption

aquasecurity · Jul 15, 2024 · 44e5b65 · 44e5b65
1 parent 3d86c5d
commit 44e5b65
Show file tree

Hide file tree

Showing 3 changed files with 153 additions and 0 deletions.
diff --git a/exports.js b/exports.js
@@ -1217,6 +1217,7 @@ module.exports = {
         'workspaceManagedIdentity'      : require(__dirname + '/plugins/azure/synapse/workspaceManagedIdentity.js'),
         'synapseWorkspaceAdAuthEnabled' : require(__dirname + '/plugins/azure/synapse/synapseWorkspaceAdAuthEnabled.js'),
         'synapseWorkspacPrivateEndpoint': require(__dirname + '/plugins/azure/synapse/synapseWorkspacPrivateEndpoint.js'),
+        'workspaceDoubleEncryption'     : require(__dirname + '/plugins/azure/synapse/workspaceDoubleEncryption.js'),
 
         'apiInstanceManagedIdentity'    : require(__dirname + '/plugins/azure/apiManagement/apiInstanceManagedIdentity.js'),
         'apiInstanceHasTags'            : require(__dirname + '/plugins/azure/apiManagement/apiInstanceHasTags.js'),

diff --git a/plugins/azure/synapse/workspaceDoubleEncryption.js b/plugins/azure/synapse/workspaceDoubleEncryption.js
@@ -0,0 +1,56 @@
+var async = require('async');
+var helpers = require('../../../helpers/azure');
+
+module.exports = {
+    title: 'Synapse Workspace Double Encryption Enabled',
+    category: 'AI & ML',
+    domain: 'Machine Learning',
+    severity: 'High',
+    description: 'Ensures that Azure Synapse workspace has double Encryption enabled.',
+    more_info: 'Enabling double encryption for Synapse workspace provides an extra layer of protection for data at rest and in transit. This feature significantly enhances security and helps ensure compliance with stringent data protection standards within the Azure environment.',
+    recommended_action: 'Create a new Synapse workspace and enable double encryption using CMK.',
+    link: 'https://learn.microsoft.com/en-us/azure/synapse-analytics/security/workspaces-encryption',
+    apis: ['synapse:listWorkspaces'],
+    realtime_triggers: ['microsoftsynapse:workspaces:write','microsoftsynapse:workspaces:delete'],
+
+    run: function(cache, settings, callback) {
+        const results = [];
+        const source = {};
+        const locations = helpers.locations(settings.govcloud);
+
+        async.each(locations.synapse, function(location, rcb) {
+            const workspaces = helpers.addSource(cache, source,
+                ['synapse', 'listWorkspaces', location]);
+
+            if (!workspaces) return rcb();
+
+
+            if (workspaces.err || !workspaces.data) {
+                helpers.addResult(results, 3, 'Unable to query Synapse workspaces: ' + helpers.addError(workspaces), location);
+                return rcb();
+            }
+
+            if (!workspaces.data.length) {
+                helpers.addResult(results, 0, 'No existing Synapse workspaces found', location);
+                return rcb();
+            }
+
+            for (let workspace of workspaces.data) {
+                if (!workspace.id) continue;
+
+                if (workspace.encryption && 
+                    workspace.encryption.doubleEncryptionEnabled &&
+                    Object.entries(workspace.encryption.cmk).length > 0) {
+                    helpers.addResult(results, 0, 'Synapse workspace has double encryption enabled', location, workspace.id);
+                } else {
+                    helpers.addResult(results, 2, 'Synapse workspace does not have double encryption enabled', location, workspace.id);
+                }
+            }
+
+            rcb();
+        }, function() {
+            // Global checking goes here
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/azure/synapse/workspaceDoubleEncryption.spec.js b/plugins/azure/synapse/workspaceDoubleEncryption.spec.js
@@ -0,0 +1,96 @@
+var expect = require('chai').expect;
+var workspaceDoubleEncryption = require('./workspaceDoubleEncryption');
+
+const workspaces = [
+    {
+        type: "Microsoft.Synapse/workspaces",
+        id: "/subscriptions/123/resourceGroups/rsgrp/providers/Microsoft.Synapse/workspaces/test",
+        location: "eastus",
+        name: "test",
+        encryption: {
+            doubleEncryptionEnabled: false
+        }
+    },
+    {
+        type: "Microsoft.Synapse/workspaces",
+        id: "/subscriptions/123/resourceGroups/rsgrp/providers/Microsoft.Synapse/workspaces/test",
+        location: "eastus",
+        name: "test",
+        encryption: {
+            cmk: {
+                kekIdentity: {
+                    useSystemAssignedIdentity: true,
+                },
+                key: {
+                    name: "default",
+                    keyVaultUrl: "https://test-key-0011.vault.azure.net/keys/test-key",
+                },
+            },
+            doubleEncryptionEnabled: true,
+        } 
+    },
+];
+
+
+const createCache = (workspaces, err) => {
+
+    return {
+        synapse: {
+            listWorkspaces: {
+                'eastus': {
+                    data: workspaces,
+                    err: err
+                }
+            }
+        }
+    };
+};
+
+describe('workspaceDoubleEncryption', function () {
+    describe('run', function () {
+
+        it('should give a passing result if no Synapse workspaces are found', function (done) {
+            const cache = createCache([], null);
+            workspaceDoubleEncryption.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No existing Synapse workspaces found');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give unknown result if unable to query for Synapse workspaces', function (done) {
+            const cache = createCache(null, ['error']);
+            workspaceDoubleEncryption.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to query Synapse workspaces');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give passing result if workspace has double encryption enabled', function (done) {
+            const cache = createCache([workspaces[1]], null);
+            workspaceDoubleEncryption.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('Synapse workspace has double encryption enabled');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give failing result if workspace does not have double encryption enabled', function (done) {
+            const cache = createCache([workspaces[0]], null);
+            workspaceDoubleEncryption.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('Synapse workspace does not have double encryption enabled');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+    });
+});