π Azure Databricks Workspace is not encrypted using customer-managed key (CMK) π’
- Contextual name: π Workspace is not encrypted using customer-managed key (CMK) π’
- ID:
/ce/ca/azure/databricks/customer-managed-keys - Located in: π Azure Databricks
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Azure Databricks encrypts data in transit using TLS 1.2+ to secure API, workspace, and cluster communications. By default, data at rest is encrypted using Microsoft-managed keys.
Rationaleβ
Organizations with stricter needs for control of encryption keys should enable customer-managed keys (CMK) for greater control over data encryption, auditing, and regulatory compliance. Azure Key Vault should be used to store and manage CMKs. Enforcing encryption at rest and in transit in Azure Databricks:
- Protects sensitive data from unauthorized access.
- Ensures regulatory compliance (ISO 27001, GDPR, HIPAA, SOC 2).
- Allows key revocation and rotation control with customer-managed keys (CMK).
- Mitigates insider threats by preventing unauthorized access to raw storage.
Impactβ
Enabling CMK encryption requires additional configuration. Key management introduces maintenance overhead (rotation, revocation, lifecycle management). Potential access issues will be encountered if keys are deleted or rotated incorrectly.
... see more
Remediationβ
Remediationβ
NOTE: These remediations assume that an Azure KeyVault already exists in the subscription.
From Azure CLIβ
Create a dedicated key:
az keyvault key create --vault-name <keyvault-name> --name <key-name> --protection <"software" or "hsm">Assign permissions to Databricks:
az keyvault set-policy --name <keyvault-name> --resource-group <resource-group-name> --spn <databricks-spn> --key-permissions get wrapKey unwrapKeyEnable encryption with CMK:
az databricks workspace update --name <databricks-workspace-name> --resource-group <resource-group-name> --key-source "Microsoft.KeyVault" --key-name <key-name> --keyvault-uri <keyvault-uri>From PowerShellβ
$Key = Add-AzKeyVaultKey -VaultName <keyvault-name> -Name <key-name> -Destination <"software" or "hsm"> Set-AzDatabricksWorkspace -ResourceGroupName "<resource-group-name>" -WorkspaceName "<databricks-workspace-name>" -EncryptionKeySource "Microsoft.KeyVault" -KeyVaultUri $Key.Id
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v4.0.0 β πΌ 3.1.8 Ensure that data at rest and in transit is encrypted in Azure Databricks using customer managed keys (CMK) (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ Data Encryption | 40 |