/
dataexplorer.sp
70 lines (57 loc) · 3.08 KB
/
dataexplorer.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
locals {
dataexplorer_compliance_common_tags = merge(local.terraform_azure_compliance_common_tags, {
service = "Azure/DataExplorer"
})
}
benchmark "dataexplorer" {
title = "Data Explorer"
description = "This benchmark provides a set of controls that detect Terraform Azure Data Explorer resources deviating from security best practices."
children = [
control.kusto_cluster_disk_encryption_enabled,
control.kusto_cluster_double_encryption_enabled,
control.kusto_cluster_encrypted_at_rest_with_cmk,
control.kusto_cluster_sku_with_sla,
control.kusto_cluster_uses_managed_identity
]
tags = merge(local.dataexplorer_compliance_common_tags, {
type = "Benchmark"
})
}
control "kusto_cluster_encrypted_at_rest_with_cmk" {
title = "Azure Data Explorer encryption at rest should use a customer-managed key"
description = "Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys."
query = query.kusto_cluster_encrypted_at_rest_with_cmk
tags = merge(local.dataexplorer_compliance_common_tags, {
nist_sp_800_53_rev_5 = "true"
})
}
control "kusto_cluster_disk_encryption_enabled" {
title = "Disk encryption should be enabled on Azure Data Explorer"
description = "Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments."
query = query.kusto_cluster_disk_encryption_enabled
tags = merge(local.dataexplorer_compliance_common_tags, {
nist_sp_800_53_rev_5 = "true"
})
}
control "kusto_cluster_double_encryption_enabled" {
title = "Double encryption should be enabled on Azure Data Explorer"
description = "Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys."
query = query.kusto_cluster_double_encryption_enabled
tags = merge(local.dataexplorer_compliance_common_tags, {
nist_sp_800_53_rev_5 = "true"
})
}
control "kusto_cluster_sku_with_sla" {
title = "Kusto clusters should use SKU with an SLA"
description = "This control checks if Kusto clusters use SKU with an SLA. This control is considered non-compliant if Kusto clusters use SKUs without an SLA."
query = query.kusto_cluster_sku_with_sla
tags = merge(local.dataexplorer_compliance_common_tags, {
other_checks = "true"
})
}
control "kusto_cluster_uses_managed_identity" {
title = "Kusto clusters should use managed identities"
description = "Use a managed identity for enhanced authentication security."
query = query.kusto_cluster_uses_managed_identity
tags = local.dataexplorer_compliance_common_tags
}