generated from adobe/aem-boilerplate
-
Notifications
You must be signed in to change notification settings - Fork 76
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #779 from tsmithv11/build-jul-24
New IaC Policies for July 2024
- Loading branch information
Showing
10 changed files
with
437 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
52 changes: 52 additions & 0 deletions
52
...ition/policy-reference/azure-policies/azure-general-policies/bc-azure-2-51.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| == Azure Synapse SQL Pool does not have a security alert policy | ||
|
|
||
| === Policy Details | ||
|
|
||
| [width=45%] | ||
| [cols="1,1"] | ||
| |=== | ||
| |Prisma Cloud Policy ID | ||
| | 1db278f2-6401-401d-95d2-3b8d1db49356 | ||
|
|
||
| |Checkov ID | ||
| | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseSQLPoolHasSecurityAlertPolicy.yaml[CKV2_AZURE_51] | ||
|
|
||
| |Severity | ||
| |INFO | ||
|
|
||
| |Subtype | ||
| |Build | ||
|
|
||
| |Frameworks | ||
| |Terraform, TerraformPlan | ||
|
|
||
| |=== | ||
|
|
||
| === Description | ||
|
|
||
| This policy detects whether a Synapse SQL Pool has a security alert policy configured. A security alert policy is used to set up alerts for specific security incidents, abnormal activities, and threats in the SQL pool. This is crucial for real-time monitoring and maintaining the security posture of a Synapse workspace, helping to ensure the protection of your data. | ||
|
|
||
| === Fix - Buildtime | ||
|
|
||
| *Terraform* | ||
|
|
||
| * *Resource:* azurerm_synapse_sql_pool | ||
| * *Arguments:* azurerm_synapse_sql_pool_security_alert_policy | ||
|
|
||
| Configure a security alert policy for your Synapse SQL Pool. Associate each `azurerm_synapse_sql_pool` resource with a `azurerm_synapse_sql_pool_security_alert_policy` block. This block defines the security alert policies for the pool. | ||
|
|
||
| In this example, a security alert policy for an Azure Synapse SQL Pool is configured using Terraform templates. | ||
|
|
||
| [source,go] | ||
| ---- | ||
| resource "azurerm_synapse_sql_pool" "example" { | ||
| name = "examplesqlpool" | ||
| ... | ||
| } | ||
| + resource "azurerm_synapse_sql_pool_security_alert_policy" "example" { | ||
| + sql_pool_id = azurerm_synapse_sql_pool.example.id | ||
| + policy_state = "Enabled" | ||
| + ... | ||
| + } | ||
| ---- |
53 changes: 53 additions & 0 deletions
53
...ition/policy-reference/azure-policies/azure-general-policies/bc-azure-2-52.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
|
|
||
| == Azure Synapse SQL Pool vulnerability assessment disabled | ||
|
|
||
| === Policy Details | ||
|
|
||
| [width=45%] | ||
| [cols="1,1"] | ||
| |=== | ||
| |Prisma Cloud Policy ID | ||
| | b7e5346e-dfec-43ba-956d-9e5f06f1e9d1 | ||
|
|
||
| |Checkov ID | ||
| | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseSQLPoolHasVulnerabilityAssessment.yaml[CKV2_AZURE_52] | ||
|
|
||
| |Severity | ||
| |INFO | ||
|
|
||
| |Subtype | ||
| |Build | ||
|
|
||
| |Frameworks | ||
| |Terraform, TerraformPlan | ||
|
|
||
| |=== | ||
|
|
||
| === Description | ||
|
|
||
| This policy detects whether a Synapse SQL Pool in an Azure environment has a vulnerability assessment enabled. Vulnerability assessments are essential for maintaining a strong security posture. They help mitigate potential security risks by detecting vulnerabilities and providing recommendations for addressing them. Without vulnerability assessments, your Synapse SQL Pool could be exposed to security threats, potentially leading to data breaches, loss, or other cyberattacks. | ||
|
|
||
| Monitoring and maintaining the security of your database services is crucial for protecting sensitive data and complying with regulatory standards. Vulnerability assessments play a vital role in achieving this by proactively identifying and mitigating potential risks. | ||
|
|
||
| === Fix - Buildtime | ||
|
|
||
| *Terraform* | ||
|
|
||
| * *Resource:* azurerm_synapse_sql_pool | ||
| * *Arguments:* azurerm_synapse_sql_pool_security_alert_policy, recurring_scans.*.enabled | ||
|
|
||
| Ensure that all `azurerm_synapse_sql_pool` resources have an associated `azurerm_synapse_sql_pool_security_alert_policy` block with recurring security scans (`recurring_scans.property`) enabled. | ||
|
|
||
| In this example, an `azurerm_synapse_sql_pool_vulnerability_assessment` resource is configured to enable automatic vulnerability scanning for your Synapse SQL Pool. This ensures your pool is regularly checked for potential security weaknesses. | ||
|
|
||
| [source,go] | ||
| ---- | ||
| resource "azurerm_synapse_sql_pool_vulnerability_assessment" "example" { | ||
| + sql_pool_security_alert_policy_id = azurerm_synapse_sql_pool_security_alert_policy.example.id | ||
| ... | ||
| recurring_scans { | ||
| + enabled = true | ||
| ... | ||
| } | ||
| } | ||
| ---- |
75 changes: 75 additions & 0 deletions
75
...dition/policy-reference/azure-policies/azure-general-policies/bc-azure-240.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
|
|
||
| == Azure Synapse Workspace not encrypted with a Customer Managed Key (CMK) | ||
|
|
||
| === Policy Details | ||
|
|
||
| [width=45%] | ||
| [cols="1,1"] | ||
| |=== | ||
| |Prisma Cloud Policy ID | ||
| | 5e212f99-d52c-4546-b498-4ba6043ddaa2 | ||
|
|
||
| |Checkov ID | ||
| | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceCMKEncryption.py[CKV_AZURE_240] | ||
|
|
||
| |Severity | ||
| |LOW | ||
|
|
||
| |Subtype | ||
| |Build | ||
|
|
||
| |Frameworks | ||
| |Terraform, TerraformPlan, ARM, Bicep | ||
|
|
||
| |=== | ||
|
|
||
| === Description | ||
|
|
||
| This policy detects whether an Azure Synapse Workspace is encrypted with a CMK. Ensuring encryption with a CMK is crucial because it grants organizations greater control over the encryption keys used to protect their data. Using a CMK enhances security by allowing key rotation, revocation, and the ability to use an organization's own key management policies. This strengthens data protection within the Synapse Workspace. Unencrypted Synapse Workspaces pose a significant security risk. Sensitive data stored and processed within them is potentially exposed to unauthorized access and data breaches. | ||
|
|
||
| === Fix - Buildtime | ||
|
|
||
| *Terraform* | ||
|
|
||
| * *Resource:* azurerm_synapse_workspace | ||
| * *Arguments:* customer_managed_key/key_name | ||
|
|
||
| Secure your Azure Synapse Workspace data by enabling CMK encryption. Enable CMK encryption for your Azure Synapse Workspace by adding a `customer_managed_key` parameter to your `azurerm_synapse_workspace` resource. | ||
|
|
||
| In this example, CMK encryption in configured for your Azure Synapse Workspace within a Terraform template. | ||
|
|
||
|
|
||
| [source,go] | ||
| ---- | ||
| resource "azurerm_synapse_workspace" "example" { | ||
| ... | ||
| + customer_managed_key { | ||
| + key_name = "exKey" | ||
| + ... | ||
| + } | ||
| } | ||
| ---- | ||
|
|
||
| *ARM* | ||
|
|
||
| * *Resource:* Microsoft.Synapse/workspaces | ||
| * *Arguments:* encryption | ||
|
|
||
| In this example, an `encryption` property is added within the `Microsoft.Synapse/workspaces` resource definition of the JSON template. This encryption property will house the configuration for the CMK, significantly enhancing data security within the workspace. | ||
|
|
||
| [source,json] | ||
| ---- | ||
| { | ||
| "type": "Microsoft.Synapse/workspaces", | ||
| ... | ||
| "properties": { | ||
| + "encryption": { | ||
| + "cmk": { | ||
| + ... | ||
| + } | ||
| + }, | ||
| ... | ||
| } | ||
| } | ||
| ---- |
47 changes: 47 additions & 0 deletions
47
...dition/policy-reference/azure-policies/azure-general-policies/bc-azure-241.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
|
|
||
| == Azure Synapse SQL pool not encrypted | ||
|
|
||
| === Policy Details | ||
|
|
||
| [width=45%] | ||
| [cols="1,1"] | ||
| |=== | ||
| |Prisma Cloud Policy ID | ||
| | a63251ce-dda8-406f-92b0-2adb43767a15 | ||
|
|
||
| |Checkov ID | ||
| | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseSQLPoolDataEncryption.py[CKV_AZURE_241] | ||
|
|
||
| |Severity | ||
| |LOW | ||
|
|
||
| |Subtype | ||
| |Build | ||
|
|
||
| |Frameworks | ||
| |Terraform, TerraformPlan | ||
|
|
||
| |=== | ||
|
|
||
| === Description | ||
|
|
||
| This policy detects whether Synapse SQL pools in Microsoft Azure are unencrypted. Encryption is vital for protecting sensitive data from unauthorized access and breaches. By enforcing encryption, this policy safeguards the confidentiality and integrity of the data stored within the SQL pools. Without encryption, data becomes vulnerable to cyberattacks, potentially leading to data leaks, financial losses, and reputational damage. | ||
|
|
||
| === Fix - Buildtime | ||
|
|
||
| *Terraform* | ||
|
|
||
| * *Resource:* azurerm_synapse_sql_pool | ||
| * *Arguments:* data_encrypted | ||
|
|
||
| Enable encryption for your Azure Synapse SQL pool: Set the `data_encrypted` property to `true` within the corresponding `azurerm_synapse_sql_pool` resource definition. | ||
|
|
||
| To fix this issue, ensure that `data_encrypted` is set to `true` for your `azurerm_synapse_sql_pool` resource. | ||
|
|
||
| [source,go] | ||
| ---- | ||
| resource "azurerm_synapse_sql_pool" "example" { | ||
| ... | ||
| + data_encrypted = true | ||
| } | ||
| ---- |
71 changes: 71 additions & 0 deletions
71
...dition/policy-reference/azure-policies/azure-general-policies/bc-azure-242.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
|
|
||
| == Azure Synapse Spark Pool not using isolated compute | ||
|
|
||
| === Policy Details | ||
|
|
||
| [width=45%] | ||
| [cols="1,1"] | ||
| |=== | ||
| |Prisma Cloud Policy ID | ||
| | 727c6eb8-2516-43a2-8693-68e81da08258 | ||
|
|
||
| |Checkov ID | ||
| | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSparkPoolIsolatedComputeEnabled.py[CKV_AZURE_242] | ||
|
|
||
| |Severity | ||
| |INFO | ||
|
|
||
| |Subtype | ||
| |Build | ||
|
|
||
| |Frameworks | ||
| |Terraform, TerraformPlan, ARM, Bicep | ||
|
|
||
| |=== | ||
|
|
||
| === Description | ||
|
|
||
| This policy detects whether isolated compute is disabled for Synapse Spark pools in Azure. Isolated compute utilizes dedicated resources that are not shared with other customers. This isolation minimizes data breach and unauthorized access risks, enhancing security for your Spark pools. Enabling isolated compute is crucial for maintaining high security standards, especially when handling sensitive data or running critical applications within Synapse Spark pools. | ||
|
|
||
| === Fix - Buildtime | ||
|
|
||
| *Terraform* | ||
|
|
||
| * *Resource:* azurerm_synapse_spark_pool | ||
| * *Arguments:* compute_isolation_enabled | ||
|
|
||
| Enable isolated compute in your Azure Synapse Spark pool: Set the compute_isolation_enabled property to true in the pool's configuration. | ||
|
|
||
| [source,go] | ||
| ---- | ||
| resource "azurerm_synapse_spark_pool" "example" { | ||
| ... | ||
| compute_isolation_enabled = true | ||
| } | ||
| ---- | ||
|
|
||
|
|
||
| *ARM* | ||
|
|
||
| * *Resource:* Microsoft.Synapse/workspaces/bigDataPools | ||
| * *Arguments:* properties/isComputeIsolationEnabled | ||
|
|
||
| In this example, the `properties/isComputeIsolationEnabled` property is set to `true` within the `properties` section of the `Microsoft.Synapse/workspaces/bigDataPools` resource definition. | ||
|
|
||
| [source,json] | ||
| ---- | ||
| { | ||
| ... | ||
| "resources": [ | ||
| { | ||
| "type": "Microsoft.Synapse/workspaces/bigDataPools", | ||
| ... | ||
| "properties": { | ||
| ... | ||
| "isComputeIsolationEnabled": true, | ||
| } | ||
| } | ||
| ] | ||
| } | ||
| ---- | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
50 changes: 50 additions & 0 deletions
50
...ition/policy-reference/azure-policies/azure-logging-policies/bc-azure-2-53.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
|
|
||
| == Azure Synapse Workspace missing extended audit logs | ||
|
|
||
| === Policy Details | ||
|
|
||
| [width=45%] | ||
| [cols="1,1"] | ||
| |=== | ||
| |Prisma Cloud Policy ID | ||
| | f62ba5d5-77ec-464c-92d9-572763798676 | ||
|
|
||
| |Checkov ID | ||
| | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseWorkspaceHasExtendedAuditLogs.yaml[CKV2_AZURE_53] | ||
|
|
||
| |Severity | ||
| |INFO | ||
|
|
||
| |Subtype | ||
| |Build | ||
|
|
||
| |Frameworks | ||
| |Terraform,TerraformPlan | ||
|
|
||
| |=== | ||
|
|
||
| === Description | ||
|
|
||
| This policy detects whether extended audit logs are disabled on an Azure Synapse Workspace. Logging mechanisms are essential for tracking user actions, policy breaches, data access, and troubleshooting issues, making it a critical practice for maintaining security and compliance within Azure environments. Extended audit logs provide detailed records of access and activity within the workspace, which are crucial for monitoring and investigating potential security risks like unauthorized access or anomalies. | ||
|
|
||
| === Fix - Buildtime | ||
|
|
||
| *Terraform* | ||
|
|
||
| * *Resource:* azurerm_synapse_workspace | ||
| * *Arguments:* azurerm_synapse_workspace_extended_auditing_policy | ||
|
|
||
| Ensure that all `azurerm_synapse_workspace` resources are connected to a `azurerm_synapse_workspace_extended_auditing_policy`. In this example, extended audit logging is configured for your Terraform templates. | ||
|
|
||
| [source,go] | ||
| ---- | ||
| resource "azurerm_synapse_workspace" "example" { | ||
| ... | ||
| } | ||
| resource "azurerm_synapse_workspace_extended_auditing_policy" "example" { | ||
| synapse_workspace_id = azurerm_synapse_workspace.example.id | ||
| ... | ||
| } | ||
| ---- | ||
|
|
Oops, something went wrong.