π Azure Databricks Personal Access Tokens (PATs) are not restricted and expirable π’
- Contextual name: π Databricks Personal Access Tokens (PATs) are not restricted and expirable π’
- ID:
/ce/ca/azure/databricks/personal-access-tokens - Located in: π Azure Databricks
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Descriptionβ
Descriptionβ
Databricks personal access tokens (PATs) provide API-based authentication for users and applications. By default, users can generate API tokens without expiration, leading to potential security risks if tokens are leaked, improperly stored, or not rotated regularly.
To mitigate these risks, administrators should:
- Restrict token creation to approved users and service principals.
- Enforce expiration policies to prevent long-lived tokens.
- Monitor token usage and revoke unused or compromised tokens.
Rationaleβ
Restricting usage and enforcing expiry for personal access tokens reduces exposure to long-lived tokens, minimizes the risk of API abuse if compromised, and aligns with security best practices through controlled issuance and enforced expiry.
Impactβ
If revoked improperly, applications relying on these tokens may fail, requiring a remediation plan for token rotation. Increased administrative effort is required to track and manage API tokens effectively.
Auditβ
Azure Databricks administrators can monitor and revoke personal access tokens within their workspace. Detailed instructions are available in the "Monitor and Revoke Personal Access Tokens" section of the Microsoft documentation: https://learn.microsoft.com/en-us/azure/databricks/admin/access-control/tokens. To evaluate the usage of personal access tokens in your Azure Databricks account, you can utilize the provided notebook that lists all PATs not rotated or updated in the last 90 days, allowing you to identify tokens that may require revocation. This process is detailed here: https://docs.azure.cn/en-us/databricks/security/auth/oauth-pat-usage. Implementing diagnostic logging provides a comprehensive reference of audit log services and events, enabling you to track activities related to personal access tokens. More information can be found in the diagnostic log reference section: https://docs.azure.cn/en-us/databricks/security/auth/oauth-pat-usage.
... see more
Remediationβ
Remediationβ
From Azure Portalβ
Disable personal access tokens:
If your workspace does not require PATs, you can disable them entirely to prevent their use.
- Navigate to your Azure Databricks workspace.
- Click the
Settingsicon and selectAdmin Console.- Go to the
Advancedtab.- Under
Personal Access Tokens, toggle the setting toDisabled.Databricks CLI:
databricks workspace-conf set-status --json '{"enableTokens": "false"}'Control who can create and use personal access tokens:
Define which users or groups are authorized to create and utilize PATs.
- Navigate to your Azure Databricks workspace.
- Click the
Settingsicon and selectAdmin Console.- Go to the
Advancedtab.- Click on
Personal Access Tokensand thenPermissions.- Assign the appropriate permissions (e.g. No Permissions, Can Use, Can Manage) to users or groups.
Set maximum lifetime for new personal access tokens:
Limit the validity period of new tokens to reduce potential misuse.
Databricks CLI:
databricks workspace-conf set-status --json '{"maxTokenLifetimeDays": "90"}'
... [see more](remediation.md)
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v4.0.0 β πΌ 3.1.6 Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens (Manual) | 1 | |||
| πΌ Cloudaware Framework β πΌ Secure Access | 53 |