Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 2.1.8 Ensure critical data in Azure Databricks is encrypted with customer-managed keys (CMK)

Description

Customer-managed keys introduce additional depth to security by providing a means to manage access control for encryption keys. Where compliance and security frameworks indicate the need, and organizational capacity allows, sensitive data at rest can be encrypted using customer-managed keys (CMK) rather than Microsoft-managed keys.

By default in Azure, data at rest tends to be encrypted using Microsoft-managed keys. If your organization wants to control and manage encryption keys for compliance and defense-in-depth, customer-managed keys can be established.

While it is possible to automate the assessment of this recommendation, the assessment status for this recommendation remains 'Manual' due to ideally limited scope. The scope of application—which workloads CMK is applied to—should be carefully considered to account for organizational capacity and targeted to workloads with specific need for CMK.

Remediation

NOTE: These remediations assume that an Azure KeyVault already exists in the subscription.

Remediate from Azure CLI

  1. Create a dedicated key:
az keyvault key create --vault-name <keyvault-name> --name <key-name> --protection <"software" or "hsm">
  1. Assign permissions to Databricks:
az keyvault set-policy --name <keyvault-name> --resource-group <resourcegroup-name> --spn <databricks-spn> --key-permissions get wrapKey unwrapKey
  1. Enable encryption with CMK:
az databricks workspace update --name <databricks-workspace-name> --resourcegroup <resource-group-name> --key-source "Microsoft.KeyVault" --key-name <key-name> --keyvault-uri <keyvault-uri>

Remediate from PowerShell

$Key = Add-AzKeyVaultKey -VaultName <keyvault-name> -Name <key-name> -Destination <"software" or "hsm"> Set-AzDatabricksWorkspace -ResourceGroupName "<resource-group-name>" -WorkspaceName "<databricks-workspace-name>" -EncryptionKeySource "Microsoft.KeyVault" -KeyVaultUri $Key.Id

Default Value:

By default, encryption type is set to Microsoft-managed keys.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_2_1_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_2_1_8 --share

SQL

This control uses a named query:

select
  a.id as resource,
  case
    when parameters -> 'customerManagedKeyId' is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when parameters -> 'customerManagedKeyId' is not null then a.name || ' has a customer-managed key configured.'
    else a.name || ' does not have a customer-managed key configured.'
  end as reason
  
  , a.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_databricks_workspace as a
  left join azure_subscription as sub on sub.subscription_id = a.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 2.1.8
cis_level = 2
cis_section_id = 2.1
cis_type = manual
cis_version = v5.0.0
plugin = azure
service = Azure