🛡️ Azure Databricks Workspace is not encrypted using customer-managed key (CMK)🟢

Contextual name: 🛡️ Workspace is not encrypted using customer-managed key (CMK)🟢
ID: /ce/ca/azure/databricks/customer-managed-keys
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 Azure Databricks Workspace
- 🔌 Azure Databricks Workspace - object.extracts.yaml
- 🧪 test-data.json

Description

Description

Customer-managed keys introduce additional depth to security by providing a means to manage access control for encryption keys. Where compliance and security frameworks indicate the need, and organizational capacity allows, sensitive data at rest can be encrypted using customer-managed keys (CMK) rather than Microsoft-managed keys.

Rationale

Organizations with stricter needs for control of encryption keys should enable customer-managed keys (CMK) for greater control over data encryption, auditing, and regulatory compliance. Azure Key Vault should be used to store and manage CMKs. Enforcing encryption at rest and in transit in Azure Databricks:

Protects sensitive data from unauthorized access.

Ensures regulatory compliance (ISO 27001, GDPR, HIPAA, SOC 2).

Allows key revocation and rotation control with customer-managed keys (CMK).

Mitigates insider threats by preventing unauthorized access to raw storage.

Impact

Enabling CMK encryption requires additional configuration. Key management introduces maintenance overhead (rotation, revocation, lifecycle management). Potential access issues will be encountered if keys are deleted or rotated incorrectly.

... see more

Remediation

Open File

Remediation

NOTE: These remediations assume that an Azure KeyVault already exists in the subscription.

From Azure CLI

Create a dedicated key:

az keyvault key create --vault-name <keyvault-name> --name <key-name> --protection <"software" or "hsm">

Assign permissions to Databricks:

az keyvault set-policy --name <keyvault-name> --resource-group <resource-group-name> --spn <databricks-spn> --key-permissions get wrapKey unwrapKey

Enable encryption with CMK:

az databricks workspace update --name <databricks-workspace-name> --resource-group <resource-group-name> --key-source "Microsoft.KeyVault" --key-name <key-name> --keyvault-uri <keyvault-uri>

From PowerShell

$Key = Add-AzKeyVaultKey -VaultName <keyvault-name> -Name <key-name> -Destination <"software" or "hsm"> Set-AzDatabricksWorkspace -ResourceGroupName "<resource-group-name>" -WorkspaceName "<databricks-workspace-name>" -EncryptionKeySource "Microsoft.KeyVault" -KeyVaultUri $Key.Id

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v5.0.0 → 💼 2.1.8 Ensure critical data in Azure Databricks is encrypted with customer-managed keys (CMK) (Manual)			1		no data
💼 Cloudaware Framework → 💼 Data Encryption			67		no data

Logic​

Description​

Description​

Rationale​

Impact​

Remediation​

Remediation​

From Azure CLI​

From PowerShell​

policy.yaml​

Linked Framework Sections​

Logic

Description

Description

Rationale

Impact

Remediation

Remediation

From Azure CLI

From PowerShell

policy.yaml

Linked Framework Sections