Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 2.1.6 Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens

Description

Databricks personal access tokens (PATs) provide API-based authentication for users and applications. By default, users can generate API tokens without expiration, leading to potential security risks if tokens are leaked, improperly stored, or not rotated regularly.

To mitigate these risks, administrators should:

  • Restrict token creation to approved users and service principals.
  • Enforce expiration policies to prevent long-lived tokens.
  • Monitor token usage and revoke unused or compromised tokens.

Restricting usage and enforcing expiry for personal access tokens reduces exposure to long-lived tokens, minimizes the risk of API abuse if compromised, and aligns with security best practices through controlled issuance and enforced expiry.

Remediation

Remediate from Azure Portal

Disable personal access tokens:

If your workspace does not require PATs, you can disable them entirely to prevent their use.

  1. Navigate to your Azure Databricks workspace.
  2. Click the Settings icon and select Admin Console.
  3. Go to the Advanced tab.
  4. Under Personal Access Tokens, toggle the setting to Disabled.

Databricks CLI:

databricks workspace-conf set-status --json '{"enableTokens": "false"}'

Control who can create and use personal access tokens:

Define which users or groups are authorized to create and utilize PATs.

  1. Navigate to your Azure Databricks workspace.
  2. Click the Settings icon and select Admin Console.
  3. Go to the Advanced tab.
  4. Click on Personal Access Tokens and then Permissions.
  5. Assign the appropriate permissions (e.g. No Permissions, Can Use, Can Manage) to users or groups.

Set maximum lifetime for new personal access tokens:

Limit the validity period of new tokens to reduce potential misuse.

Databricks CLI:

databricks workspace-conf set-status --json '{"maxTokenLifetimeDays": "90"}'

Monitor and revoke personal access tokens:

Periodically review active tokens and revoke any that are unnecessary or potentially compromised.

Databricks CLI:

databricks token list
databricks token delete --token-id <token-id>

Transition to OAuth for enhanced security:

Utilize OAuth tokens for authentication, offering improved security features over PATs.

Default Value:

By default, personal access tokens are enabled and users can create the Personal access token and their expiry time.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_2_1_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_2_1_6 --share

SQL

This control uses a named query:

select
  id as resource,
  'info' as status,
  'Manual verification required.' as reason,
  display_name as subscription
from
  azure_subscription;

Tags

category = Compliance
cis = true
cis_item_id = 2.1.6
cis_level = 1
cis_section_id = 2.1
cis_type = manual
cis_version = v5.0.0
plugin = azure
service = Azure