-
Notifications
You must be signed in to change notification settings - Fork 12
/
datalakestore.sp
101 lines (95 loc) · 3.39 KB
/
datalakestore.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
locals {
regulatory_compliance_datalakestore_common_tags = {
service = "Azure/DataLakeStorage"
}
}
control "datalake_store_account_encryption_enabled" {
title = "Require encryption on Data Lake Store accounts"
description = "This policy ensures encryption is enabled on all Data Lake Store accounts."
query = query.datalake_store_account_encryption_enabled
tags = merge(local.regulatory_compliance_datalakestore_common_tags, {
hipaa_hitrust_v92 = "true"
})
}
control "datalake_store_account_logging_enabled" {
title = "Resource logs in Azure Data Lake Store should be enabled"
description = "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised."
query = query.datalake_store_account_logging_enabled
tags = merge(local.regulatory_compliance_datalakestore_common_tags, {
hipaa_hitrust_v92 = "true"
nist_sp_800_171_rev_2 = "true"
nist_sp_800_53_rev_5 = "true"
})
}
query "datalake_store_account_encryption_enabled" {
sql = <<-EOQ
select
b.account_id as resource,
case
when encryption_state = 'Enabled' then 'ok'
else 'alarm'
end as status,
case
when encryption_state = 'Enabled' then b.name || ' encryption enabled.'
else b.name || ' encryption disabled.'
end as reason
${local.tag_dimensions_sql}
${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "b.")}
${replace(local.common_dimensions_qualifier_subscription_sql, "__QUALIFIER__", "sub.")}
from
azure_data_lake_store as b,
azure_subscription as sub
where
sub.subscription_id = b.subscription_id;
EOQ
}
query "datalake_store_account_logging_enabled" {
sql = <<-EOQ
with logging_details as (
select
distinct account_id as account_id
from
azure_data_lake_store,
jsonb_array_elements(diagnostic_settings) setting,
jsonb_array_elements(setting -> 'properties' -> 'logs') log
where
diagnostic_settings is not null
and (
(
(log ->> 'enabled') :: boolean
and (log -> 'retentionPolicy' ->> 'enabled') :: boolean
and (log -> 'retentionPolicy') :: JSONB ? 'days'
)
or
(
(log ->> 'enabled') :: boolean
and (
log -> 'retentionPolicy' ->> 'enabled' <> 'true'
or setting -> 'properties' ->> 'storageAccountId' = ''
)
)
)
)
select
a.account_id as resource,
case
when a.diagnostic_settings is null then 'alarm'
when l.account_id is not null then 'ok'
else 'alarm'
end as status,
case
when a.diagnostic_settings is null then a.name || ' logging disabled.'
when l.account_id is not null then a.name || ' logging enabled.'
else a.name || ' logging disabled.'
end as reason
${local.tag_dimensions_sql}
${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "a.")}
${replace(local.common_dimensions_qualifier_subscription_sql, "__QUALIFIER__", "sub.")}
from
azure_data_lake_store as a
left join logging_details as l on a.account_id = l.account_id,
azure_subscription as sub
where
sub.subscription_id = a.subscription_id;
EOQ
}