🚀 Launch Week 10, September 22nd - 26th, 2025 🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
15Dashboards
1471Benchmarks
461Queries
8Variables
GitHub

Control: 3.1.2 Ensure that network security groups are configured for Databricks subnets

Description

Network Security Groups (NSGs) should be implemented to control inbound and outbound traffic to Azure Databricks subnets, ensuring only authorized communication. NSGs should be configured with deny rules to block unwanted traffic and restrict communication to essential sources only.

Remediation

From Azure Portal

  1. Assign NSG to Databricks subnets under Networking > NSG Settings.

Default Value

By default, Databricks subnets do not have NSGs assigned.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v400_3_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v400_3_1_2 --share

SQL

This control uses a named query:

with databricks_subnets as (
  select
    id,
    'private' as subnet_type,
    concat(parameters -> 'customVirtualNetworkId' ->> 'value', '/subnets/', parameters -> 'customPrivateSubnetName' ->> 'value') as subnet_id
  from
    azure_databricks_workspace
  where
    parameters -> 'customVirtualNetworkId' IS NOT NULL
    and parameters -> 'customPrivateSubnetName' ->> 'value' IS NOT NULL
  UNION ALL
  select
    id,
    'public' as subnet_type,
    concat(parameters -> 'customVirtualNetworkId' ->> 'value', '/subnets/', parameters -> 'customPublicSubnetName' ->> 'value') as subnet_id
  from
    azure_databricks_workspace
  where
    parameters -> 'customVirtualNetworkId' IS NOT NULL
    and parameters -> 'customPublicSubnetName' ->> 'value' IS NOT NULL
), databricks_subnets_without_nsg as (
  select
    distinct ds.id,
    network_security_group_id
  from
    azure_subnet as s
    right join databricks_subnets as ds on lower(s.id) = lower(ds.subnet_id)
  where
    s.network_security_group_id is null
)
select
  a.id as resource,
  case
    when parameters -> 'customVirtualNetworkId' is null then 'skip'
    when nsg.id is null then 'ok'
    else 'alarm'
  end as status,
  case
    when parameters -> 'customVirtualNetworkId' is null then a.name || ' is not deployed in a customer-managed virtual network.'
    when nsg.id is null then a.name || ' subnets are configured with network security group.'
    else a.name || ' subnets are not configured with network security group.'
  end as reason
  
  , a.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_databricks_workspace as a
  left join databricks_subnets_without_nsg as nsg on nsg.id = a.id
  left join azure_subscription as sub on sub.subscription_id = a.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 3.1.2
cis_level = 1
cis_section_id = 3.1
cis_type = manual
cis_version = v4.0.0
plugin = azure
service = Azure/Databricks