From 44e5b657527840f3835678a4a48ea91f48e2b226 Mon Sep 17 00:00:00 2001 From: AkhtarAmir Date: Mon, 15 Jul 2024 13:27:38 +0500 Subject: [PATCH 1/3] H-plugin synapse workspace double encryption --- exports.js | 1 + .../synapse/workspaceDoubleEncryption.js | 56 +++++++++++ .../synapse/workspaceDoubleEncryption.spec.js | 96 +++++++++++++++++++ 3 files changed, 153 insertions(+) create mode 100644 plugins/azure/synapse/workspaceDoubleEncryption.js create mode 100644 plugins/azure/synapse/workspaceDoubleEncryption.spec.js diff --git a/exports.js b/exports.js index dcbf2a3dbb..50a7e9f116 100644 --- a/exports.js +++ b/exports.js @@ -1217,6 +1217,7 @@ module.exports = { 'workspaceManagedIdentity' : require(__dirname + '/plugins/azure/synapse/workspaceManagedIdentity.js'), 'synapseWorkspaceAdAuthEnabled' : require(__dirname + '/plugins/azure/synapse/synapseWorkspaceAdAuthEnabled.js'), 'synapseWorkspacPrivateEndpoint': require(__dirname + '/plugins/azure/synapse/synapseWorkspacPrivateEndpoint.js'), + 'workspaceDoubleEncryption' : require(__dirname + '/plugins/azure/synapse/workspaceDoubleEncryption.js'), 'apiInstanceManagedIdentity' : require(__dirname + '/plugins/azure/apiManagement/apiInstanceManagedIdentity.js'), 'apiInstanceHasTags' : require(__dirname + '/plugins/azure/apiManagement/apiInstanceHasTags.js'), diff --git a/plugins/azure/synapse/workspaceDoubleEncryption.js b/plugins/azure/synapse/workspaceDoubleEncryption.js new file mode 100644 index 0000000000..252a16321f --- /dev/null +++ b/plugins/azure/synapse/workspaceDoubleEncryption.js @@ -0,0 +1,56 @@ +var async = require('async'); +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Synapse Workspace Double Encryption Enabled', + category: 'AI & ML', + domain: 'Machine Learning', + severity: 'High', + description: 'Ensures that Azure Synapse workspace has double Encryption enabled.', + more_info: 'Enabling double encryption for Synapse workspace provides an extra layer of protection for data at rest and in transit. This feature significantly enhances security and helps ensure compliance with stringent data protection standards within the Azure environment.', + recommended_action: 'Create a new Synapse workspace and enable double encryption using CMK.', + link: 'https://learn.microsoft.com/en-us/azure/synapse-analytics/security/workspaces-encryption', + apis: ['synapse:listWorkspaces'], + realtime_triggers: ['microsoftsynapse:workspaces:write','microsoftsynapse:workspaces:delete'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.synapse, function(location, rcb) { + const workspaces = helpers.addSource(cache, source, + ['synapse', 'listWorkspaces', location]); + + if (!workspaces) return rcb(); + + + if (workspaces.err || !workspaces.data) { + helpers.addResult(results, 3, 'Unable to query Synapse workspaces: ' + helpers.addError(workspaces), location); + return rcb(); + } + + if (!workspaces.data.length) { + helpers.addResult(results, 0, 'No existing Synapse workspaces found', location); + return rcb(); + } + + for (let workspace of workspaces.data) { + if (!workspace.id) continue; + + if (workspace.encryption && + workspace.encryption.doubleEncryptionEnabled && + Object.entries(workspace.encryption.cmk).length > 0) { + helpers.addResult(results, 0, 'Synapse workspace has double encryption enabled', location, workspace.id); + } else { + helpers.addResult(results, 2, 'Synapse workspace does not have double encryption enabled', location, workspace.id); + } + } + + rcb(); + }, function() { + // Global checking goes here + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/synapse/workspaceDoubleEncryption.spec.js b/plugins/azure/synapse/workspaceDoubleEncryption.spec.js new file mode 100644 index 0000000000..54f0b00f88 --- /dev/null +++ b/plugins/azure/synapse/workspaceDoubleEncryption.spec.js @@ -0,0 +1,96 @@ +var expect = require('chai').expect; +var workspaceDoubleEncryption = require('./workspaceDoubleEncryption'); + +const workspaces = [ + { + type: "Microsoft.Synapse/workspaces", + id: "/subscriptions/123/resourceGroups/rsgrp/providers/Microsoft.Synapse/workspaces/test", + location: "eastus", + name: "test", + encryption: { + doubleEncryptionEnabled: false + } + }, + { + type: "Microsoft.Synapse/workspaces", + id: "/subscriptions/123/resourceGroups/rsgrp/providers/Microsoft.Synapse/workspaces/test", + location: "eastus", + name: "test", + encryption: { + cmk: { + kekIdentity: { + useSystemAssignedIdentity: true, + }, + key: { + name: "default", + keyVaultUrl: "https://test-key-0011.vault.azure.net/keys/test-key", + }, + }, + doubleEncryptionEnabled: true, + } + }, +]; + + +const createCache = (workspaces, err) => { + + return { + synapse: { + listWorkspaces: { + 'eastus': { + data: workspaces, + err: err + } + } + } + }; +}; + +describe('workspaceDoubleEncryption', function () { + describe('run', function () { + + it('should give a passing result if no Synapse workspaces are found', function (done) { + const cache = createCache([], null); + workspaceDoubleEncryption.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Synapse workspaces found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for Synapse workspaces', function (done) { + const cache = createCache(null, ['error']); + workspaceDoubleEncryption.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query Synapse workspaces'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if workspace has double encryption enabled', function (done) { + const cache = createCache([workspaces[1]], null); + workspaceDoubleEncryption.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Synapse workspace has double encryption enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if workspace does not have double encryption enabled', function (done) { + const cache = createCache([workspaces[0]], null); + workspaceDoubleEncryption.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Synapse workspace does not have double encryption enabled'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From 46e7f21d5d895575387bfd658ff4b946d2e17bf0 Mon Sep 17 00:00:00 2001 From: AkhtarAmir Date: Mon, 26 Aug 2024 14:03:10 +0500 Subject: [PATCH 2/3] update message --- plugins/azure/synapse/workspaceDoubleEncryption.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/synapse/workspaceDoubleEncryption.js b/plugins/azure/synapse/workspaceDoubleEncryption.js index 252a16321f..4382d68ff3 100644 --- a/plugins/azure/synapse/workspaceDoubleEncryption.js +++ b/plugins/azure/synapse/workspaceDoubleEncryption.js @@ -6,7 +6,7 @@ module.exports = { category: 'AI & ML', domain: 'Machine Learning', severity: 'High', - description: 'Ensures that Azure Synapse workspace has double Encryption enabled.', + description: 'Ensures that Azure Synapse workspaces have double Encryption enabled.', more_info: 'Enabling double encryption for Synapse workspace provides an extra layer of protection for data at rest and in transit. This feature significantly enhances security and helps ensure compliance with stringent data protection standards within the Azure environment.', recommended_action: 'Create a new Synapse workspace and enable double encryption using CMK.', link: 'https://learn.microsoft.com/en-us/azure/synapse-analytics/security/workspaces-encryption', From 605098032e605741cbf0be11f896884af7621786 Mon Sep 17 00:00:00 2001 From: AkhtarAmir Date: Mon, 26 Aug 2024 14:42:40 +0500 Subject: [PATCH 3/3] update files --- plugins/aws/eks/eksKubernetesVersion.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/aws/eks/eksKubernetesVersion.spec.js b/plugins/aws/eks/eksKubernetesVersion.spec.js index b53206f8d2..0997f85358 100644 --- a/plugins/aws/eks/eksKubernetesVersion.spec.js +++ b/plugins/aws/eks/eksKubernetesVersion.spec.js @@ -82,7 +82,7 @@ describe('eksKubernetesVersion', function () { "cluster": { "name": "mycluster", "arn": "arn:aws:eks:us-east-1:012345678911:cluster/mycluster", - "version": "1.27", + "version": "1.29", } } );