generated from adobe/aem-boilerplate
-
Notifications
You must be signed in to change notification settings - Fork 76
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #733 from tsmithv11/build-jun-24
Add docs for IaC policies for 24.7.3
- Loading branch information
Showing
4 changed files
with
137 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
65 changes: 65 additions & 0 deletions
65
...on/policy-reference/azure-policies/azure-networking-policies/bc-azure-2-49.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
== Azure Machine learning workspace configured with overly permissive network access | ||
|
||
|
||
=== Policy Details | ||
|
||
[width=45%] | ||
[cols="1,1"] | ||
|=== | ||
|Prisma Cloud Policy ID | ||
| 76b345ae-d738-4485-8cfc-ed0c265ea016 | ||
|
||
|Checkov ID | ||
| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspacePublicNetwork.yaml[CKV2_AZURE_49] | ||
|
||
|Severity | ||
|HIGH | ||
|
||
|Subtype | ||
|Run,Build | ||
|
||
|Frameworks | ||
|Terraform,TerraformPlan,ARM,Bicep | ||
|
||
|=== | ||
|
||
=== Description | ||
|
||
This policy detects whether the Azure Machine Learning workspace is configured with overly permissive network access. Such unrestricted access creates security vulnerabilities. Excessive network access permissions allow individuals or systems to access and potentially manipulate the workspace, allowing malicious actors to exploit these weaknesses to gain unauthorized access potentially leading to data breaches or manipulation of the machine learning process itself. This unauthorized access could compromise models, leading to flawed outputs or biased results. Additionally, sensitive data stored or processed within the workspace might be exfiltrated if network access isn't properly restricted. | ||
|
||
=== Fix - Buildtime | ||
|
||
*Terraform* | ||
|
||
* *Resource:* azurerm_machine_learning_workspace | ||
* *Arguments:* public_network_access_enabled | ||
|
||
Ensure that the Azure Machine Learning workspace does not have unrestricted public network access. To achieve this, set the `public_network_access_enabled` property to false. This will deny public network access to the workspace from outside the virtual network, enhancing the overall security posture. | ||
|
||
[source,go] | ||
---- | ||
resource "azurerm_machine_learning_workspace" "workspace" { | ||
... | ||
+ public_network_access_enabled = false | ||
} | ||
---- | ||
|
||
*ARM* | ||
|
||
[source,json] | ||
---- | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"resources": [ | ||
{ | ||
"type": "Microsoft.MachineLearningServices/workspaces", | ||
"apiVersion": "2022-12-01", | ||
... | ||
"properties": { | ||
+ "publicNetworkAccess": "Disabled" | ||
} | ||
} | ||
] | ||
} | ||
---- |
62 changes: 62 additions & 0 deletions
62
...ion/policy-reference/azure-policies/azure-networking-policies/bc-azure-239.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
== Azure Machine learning workspace is not configured with private endpoint | ||
|
||
|
||
=== Policy Details | ||
|
||
[width=45%] | ||
[cols="1,1"] | ||
|=== | ||
|Prisma Cloud Policy ID | ||
| a8e6f787-f937-42eb-9f71-ffc4cb17ba8a | ||
|
||
|Checkov ID | ||
| https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py[CKV_AZURE_239] | ||
|
||
|Severity | ||
|MEDIUM | ||
|
||
|Subtype | ||
|Build | ||
|
||
|Frameworks | ||
|ARM,Bicep | ||
|
||
|=== | ||
|
||
=== Description | ||
|
||
This policy detects whether an Azure Machine Learning workspace is configured with a private endpoint. Configuring a private endpoint for the Azure Machine Learning workspace is recommended to enhance security by restricting network access and preventing public internet access to the workspace. | ||
|
||
=== Fix - Buildtime | ||
|
||
*ARM* | ||
|
||
* *Resource:* Microsoft.MachineLearningServices/workspaces | ||
* *Arguments:* managedNetwork.outboundRules | ||
|
||
Configure the Azure Machine Learning workspace to use a private endpoint. To achieve this, add an outboundRule with the type set to PrivateEndpoint. This effectively directs traffic to the workspace solely through the secure private network connection. | ||
|
||
[source,json] | ||
---- | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"resources": [ | ||
{ | ||
"type": "Microsoft.MachineLearningServices/workspaces", | ||
"apiVersion": "2022-12-01", | ||
"name": "fail1", | ||
"location": "West US", | ||
"properties": { | ||
"managedNetwork": { | ||
"outboundRules": { | ||
"rule1": { | ||
+ "type": "PrivateEndpoint" | ||
} | ||
} | ||
} | ||
} | ||
} | ||
] | ||
} | ||
---- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters