-
Notifications
You must be signed in to change notification settings - Fork 688
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2064 from AkhtarAmir/H-plugin/azure-synapse-doubl…
…e-encryption H-plugin synapse workspace double encryption
- Loading branch information
Showing
3 changed files
with
153 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
var async = require('async'); | ||
var helpers = require('../../../helpers/azure'); | ||
|
||
module.exports = { | ||
title: 'Synapse Workspace Double Encryption Enabled', | ||
category: 'AI & ML', | ||
domain: 'Machine Learning', | ||
severity: 'High', | ||
description: 'Ensures that Azure Synapse workspaces have double Encryption enabled.', | ||
more_info: 'Enabling double encryption for Synapse workspace provides an extra layer of protection for data at rest and in transit. This feature significantly enhances security and helps ensure compliance with stringent data protection standards within the Azure environment.', | ||
recommended_action: 'Create a new Synapse workspace and enable double encryption using CMK.', | ||
link: 'https://learn.microsoft.com/en-us/azure/synapse-analytics/security/workspaces-encryption', | ||
apis: ['synapse:listWorkspaces'], | ||
realtime_triggers: ['microsoftsynapse:workspaces:write','microsoftsynapse:workspaces:delete'], | ||
|
||
run: function(cache, settings, callback) { | ||
const results = []; | ||
const source = {}; | ||
const locations = helpers.locations(settings.govcloud); | ||
|
||
async.each(locations.synapse, function(location, rcb) { | ||
const workspaces = helpers.addSource(cache, source, | ||
['synapse', 'listWorkspaces', location]); | ||
|
||
if (!workspaces) return rcb(); | ||
|
||
|
||
if (workspaces.err || !workspaces.data) { | ||
helpers.addResult(results, 3, 'Unable to query Synapse workspaces: ' + helpers.addError(workspaces), location); | ||
return rcb(); | ||
} | ||
|
||
if (!workspaces.data.length) { | ||
helpers.addResult(results, 0, 'No existing Synapse workspaces found', location); | ||
return rcb(); | ||
} | ||
|
||
for (let workspace of workspaces.data) { | ||
if (!workspace.id) continue; | ||
|
||
if (workspace.encryption && | ||
workspace.encryption.doubleEncryptionEnabled && | ||
Object.entries(workspace.encryption.cmk).length > 0) { | ||
helpers.addResult(results, 0, 'Synapse workspace has double encryption enabled', location, workspace.id); | ||
} else { | ||
helpers.addResult(results, 2, 'Synapse workspace does not have double encryption enabled', location, workspace.id); | ||
} | ||
} | ||
|
||
rcb(); | ||
}, function() { | ||
// Global checking goes here | ||
callback(null, results, source); | ||
}); | ||
} | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
var expect = require('chai').expect; | ||
var workspaceDoubleEncryption = require('./workspaceDoubleEncryption'); | ||
|
||
const workspaces = [ | ||
{ | ||
type: "Microsoft.Synapse/workspaces", | ||
id: "/subscriptions/123/resourceGroups/rsgrp/providers/Microsoft.Synapse/workspaces/test", | ||
location: "eastus", | ||
name: "test", | ||
encryption: { | ||
doubleEncryptionEnabled: false | ||
} | ||
}, | ||
{ | ||
type: "Microsoft.Synapse/workspaces", | ||
id: "/subscriptions/123/resourceGroups/rsgrp/providers/Microsoft.Synapse/workspaces/test", | ||
location: "eastus", | ||
name: "test", | ||
encryption: { | ||
cmk: { | ||
kekIdentity: { | ||
useSystemAssignedIdentity: true, | ||
}, | ||
key: { | ||
name: "default", | ||
keyVaultUrl: "https://test-key-0011.vault.azure.net/keys/test-key", | ||
}, | ||
}, | ||
doubleEncryptionEnabled: true, | ||
} | ||
}, | ||
]; | ||
|
||
|
||
const createCache = (workspaces, err) => { | ||
|
||
return { | ||
synapse: { | ||
listWorkspaces: { | ||
'eastus': { | ||
data: workspaces, | ||
err: err | ||
} | ||
} | ||
} | ||
}; | ||
}; | ||
|
||
describe('workspaceDoubleEncryption', function () { | ||
describe('run', function () { | ||
|
||
it('should give a passing result if no Synapse workspaces are found', function (done) { | ||
const cache = createCache([], null); | ||
workspaceDoubleEncryption.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(1); | ||
expect(results[0].status).to.equal(0); | ||
expect(results[0].message).to.include('No existing Synapse workspaces found'); | ||
expect(results[0].region).to.equal('eastus'); | ||
done(); | ||
}); | ||
}); | ||
|
||
it('should give unknown result if unable to query for Synapse workspaces', function (done) { | ||
const cache = createCache(null, ['error']); | ||
workspaceDoubleEncryption.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(1); | ||
expect(results[0].status).to.equal(3); | ||
expect(results[0].message).to.include('Unable to query Synapse workspaces'); | ||
expect(results[0].region).to.equal('eastus'); | ||
done(); | ||
}); | ||
}); | ||
|
||
it('should give passing result if workspace has double encryption enabled', function (done) { | ||
const cache = createCache([workspaces[1]], null); | ||
workspaceDoubleEncryption.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(1); | ||
expect(results[0].status).to.equal(0); | ||
expect(results[0].message).to.include('Synapse workspace has double encryption enabled'); | ||
expect(results[0].region).to.equal('eastus'); | ||
done(); | ||
}); | ||
}); | ||
|
||
it('should give failing result if workspace does not have double encryption enabled', function (done) { | ||
const cache = createCache([workspaces[0]], null); | ||
workspaceDoubleEncryption.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(1); | ||
expect(results[0].status).to.equal(2); | ||
expect(results[0].message).to.include('Synapse workspace does not have double encryption enabled'); | ||
expect(results[0].region).to.equal('eastus'); | ||
done(); | ||
}); | ||
}); | ||
}); | ||
}); |