Merge pull request #2072 from AkhtarAmir/FS-Azure/MLworkspceHBI

Fs azure/m lworkspce hbi
aquasecurity · Sep 18, 2024 · b0a0a2d · b0a0a2d
2 parents 8ff59b2 + 4ad942b
commit b0a0a2d
Show file tree

Hide file tree

Showing 3 changed files with 149 additions and 0 deletions.
diff --git a/exports.js b/exports.js
@@ -738,6 +738,7 @@ module.exports = {
         'containerAppHasTags'           : require(__dirname + '/plugins/azure/containerapps/containerAppHasTags.js'),
         'containerAppIPRestriction'      : require(__dirname + '/plugins/azure/containerapps/containerAppIPRestriction.js'),
 
+        'mlWorkspaceHBI'                : require(__dirname + '/plugins/azure/machinelearning/mlWorkspaceHBI.js'),
         'workspacePublicAccessDisabled' : require(__dirname + '/plugins/azure/machinelearning/workspacePublicAccessDisabled.js'),
         'workspaceLoggingEnabled'       : require(__dirname + '/plugins/azure/machinelearning/workspaceLoggingEnabled.js'),
         'mlWorkspaceHasTags'            : require(__dirname + '/plugins/azure/machinelearning/mlWorkspaceHasTags.js'),

diff --git a/plugins/azure/machinelearning/mlWorkspaceHBI.js b/plugins/azure/machinelearning/mlWorkspaceHBI.js
@@ -0,0 +1,56 @@
+var async = require('async');
+var helpers = require('../../../helpers/azure');
+
+module.exports = {
+    title: 'Machine Learning Workspace High Business Impact Enabled',
+    category: 'AI & ML',
+    domain: 'Machine Learning',
+    severity: 'Medium',
+    description: 'Ensures that Machine Learning workspaces have High Business Impact (HBI) feature enabled.',
+    more_info: 'Enabling the High Business Impact (HBI) feature in Machine Learning workspaces controls the data Microsoft collects for diagnostics, prevents the transmission of confidential telemetry, and enhances encryption to protect sensitive business information while ensuring compliance with security protocols.',
+    recommended_action: 'Ensures that High Business Impact (HBI) feature enabled for Machine Learning workspace.',
+    link: 'https://learn.microsoft.com/en-us/azure/machine-learning/concept-data-encryption',
+    apis: ['machineLearning:listWorkspaces'],
+    realtime_triggers: ['microsoft:machinelearningservices:workspaces:write', 'microsoft:machinelearningservices:workspaces:delete'],
+
+    run: function(cache, settings, callback) {
+        const results = [];
+        const source = {};
+        const locations = helpers.locations(settings.govcloud);
+
+        async.each(locations.machineLearning, function(location, rcb) {
+            var machineLearningWorkspaces = helpers.addSource(cache, source,
+                ['machineLearning', 'listWorkspaces', location]);
+
+            if (!machineLearningWorkspaces) return rcb();
+
+            if (machineLearningWorkspaces.err || !machineLearningWorkspaces.data) {
+                helpers.addResult(results, 3,
+                    'Unable to query for Machine Learning workspaces: ' + helpers.addError(machineLearningWorkspaces), location);
+                return rcb();
+            }
+
+            if (!machineLearningWorkspaces.data.length) {
+                helpers.addResult(results, 0, 'No existing Machine Learning workspaces found', location);
+                return rcb();
+            }
+
+            for (let workspace of machineLearningWorkspaces.data) {
+                if (!workspace.id) continue; 
+
+                if (workspace.hbiWorkspace) {
+                    helpers.addResult(results, 0,
+                        'Machine Learning workspace has high business impact (HBI) feature enabled', location, workspace.id);
+                } else {
+                    helpers.addResult(results, 2,
+                        'Machine Learning workspace does not have high business impact (HBI) feature enabled', location, workspace.id);
+                }
+            }
+
+            rcb();
+        }, function() {
+            // Global checking goes here
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/azure/machinelearning/mlWorkspaceHBI.spec.js b/plugins/azure/machinelearning/mlWorkspaceHBI.spec.js
@@ -0,0 +1,92 @@
+var expect = require('chai').expect;
+var mlWorkspaceHBI = require('./mlWorkspaceHBI');
+
+const workspaces = [
+    {
+        "id": "/subscriptions/12345667/resourceGroups/test/providers/Microsoft.MachineLearningServices/workspaces/test1",
+        "name": "test",
+        "type": "Microsoft.MachineLearningServices/workspaces",
+        "hbiWorkspace": true
+
+
+      },
+      {
+        "id": "/subscriptions/12345667/resourceGroups/test/providers/Microsoft.MachineLearningServices/workspaces/test1",
+        "name": "test",
+        "type": "Microsoft.MachineLearningServices/workspaces",
+        "hbiWorkspace": false
+
+      },
+];
+
+const createCache = (workspaces) => {
+    return {
+        machineLearning: {
+            listWorkspaces: {
+                'eastus': {
+                    data: workspaces
+                }
+            }
+        }
+    };
+};
+
+const createErrorCache = () => {
+    return {
+        machineLearning: {
+            listWorkspaces: {
+                'eastus': {}
+            }
+        }
+    };
+};
+
+describe('mlWorkspaceHBI', function() {
+    describe('run', function() {
+        it('should give passing result if no Machine Learning workspace found', function(done) {
+            const cache = createCache([]);
+            mlWorkspaceHBI.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No existing Machine Learning workspaces found');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give unknown result if unable to query for Machine Learning workspaces', function(done) {            
+        const cache = createErrorCache();
+            mlWorkspaceHBI.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to query for Machine Learning workspaces: ');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+
+        it('should give passing result if Machine Learning workspace has high business impact (HBI) feature enabled', function(done) {
+            const cache = createCache([workspaces[0]]);
+            mlWorkspaceHBI.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('Machine Learning workspace has high business impact (HBI) feature enabled');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give failing result if Machine Learning workspace does not have high business impact (HBI) feature enabled', function(done) {
+            const cache = createCache([workspaces[1]]);
+            mlWorkspaceHBI.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('Machine Learning workspace does not have high business impact (HBI) feature enabled');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+    });
+});