checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

feat(azure): add new policies for Azure Synapse (terraform and arm)

Open taviassaf opened this issue 1 year ago • 1 comments

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

Fixes # (issue)

New/Edited policies (Delete if not relevant)

Description

Include a description of what makes it a violation and any relevant external links.

Fix

How does someone fix the issue in code and/or in runtime?

Checklist:

  • [ ] I have performed a self-review of my own code
  • [ ] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have added tests that prove my feature, policy, or fix is effective and works
  • [ ] New and existing tests pass locally with my changes

Generated description

Dear maintainer, below is a concise technical summary of the changes proposed in this PR:

Introduce new security and logging policies for Azure Synapse SQL Pools and Workspaces. The changes include adding checks to ensure log monitoring and security alert policies are enabled, vulnerability assessments are attached, and encryption is enforced. The SynapseWorkspaceAdministratorLoginPasswordHidden and SynapseWorkspaceCMKEncryption classes are introduced to ensure administrator passwords are not exposed and workspaces are encrypted with a CMK, respectively. These changes enhance the security posture of Azure Synapse resources by enforcing best practices through automated checks.

TopicDetails
Password Security Ensure Azure Synapse Workspace administrator login passwords are not exposed, improving security.
Modified files (4)
  • tests/arm/checks/resource/test_SynapseWorkspaceAdministratorLoginPasswordHidden.py
  • tests/arm/checks/resource/example_SynapseWorkspaceAdministratorLoginPasswordHidden/fail.json
  • checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py
  • tests/arm/checks/resource/example_SynapseWorkspaceAdministratorLoginPasswordHidden/pass.json
Latest Contributors(1)
EmailCommitDate
123508988+taviassaf@us...feat-azure-add-new-pol...July 11, 2024
Security Alert Policies Add new policies to ensure Azure Synapse SQL Pools have security alert policies enabled, enhancing security monitoring.
Modified files (5)
  • tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail1.json
  • tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/fail2.json
  • tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/expected.yaml
  • tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/pass.json
  • checkov/arm/checks/graph_checks/SynapseSQLPoolHasSecurityAlertPolicy.yaml
Latest Contributors(0)
EmailCommitDate
Audit Logs Implement checks to ensure Azure Synapse Workspaces have extended audit logs enabled for comprehensive logging.
Modified files (5)
  • tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/pass.json
  • tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail1.json
  • tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/expected.yaml
  • tests/arm/graph_builder/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/fail2.json
  • checkov/arm/checks/graph_checks/SynapseWorkspaceHasExtendedAuditLogs.yaml
Latest Contributors(0)
EmailCommitDate
Vulnerability Assessment Ensure Azure Synapse SQL Pools have vulnerability assessments attached to identify and mitigate potential security risks.
Modified files (5)
  • checkov/arm/checks/graph_checks/SynapseSQLPoolHasVulnerabilityAssessment.yaml
  • tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/fail.json
  • tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/fail2.json
  • tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/pass.json
  • tests/arm/graph_builder/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/expected.yaml
Latest Contributors(0)
EmailCommitDate
Data Encryption Add checks to ensure Azure Synapse SQL Pools are encrypted, enhancing data protection.
Modified files (3)
  • tests/terraform/checks/resource/azure/example_SynapseSQLPoolDataEncryption/main.tf
  • tests/terraform/checks/resource/azure/test_SynapseSQLPoolDataEncryption.py
  • checkov/terraform/checks/resource/azure/SynapseSQLPoolDataEncryption.py
Latest Contributors(1)
EmailCommitDate
123508988+taviassaf@us...feat-azure-add-new-pol...July 11, 2024
This pull request is reviewed by Baz. Join @taviassaf and the rest of your team on (Baz).

taviassaf avatar Jul 08 '24 10:07 taviassaf

Hi @taviassaf. Thanks for contributing!

there are several conflict, please resolve them. if the pull-request is not relevant any more, please close it (-:

itai1357 avatar Jul 18 '24 10:07 itai1357

hi, @taviassaf after we added support to ARM graph this week, I will resolve the conflicts, send your PR for review, and merge it. Thank you so much for your contributing!

lirshindalman avatar Oct 31 '24 11:10 lirshindalman