π Azure Databricks Workspace traffic is not encrypted between cluster worker nodes π’
- Contextual name: π Workspace traffic is not encrypted between cluster worker nodes π’
- ID:
/ce/ca/azure/databricks/traffic-between-cluster-worker-nodes - Located in: π Azure Databricks
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Descriptionβ
Descriptionβ
By default, data exchanged between worker nodes in an Azure Databricks cluster is not encrypted. To ensure that data is encrypted at all times, whether at rest or in transit, you can create an initialization script that configures your clusters to encrypt traffic between worker nodes using AES 256-bit encryption over a TLS 1.3 connection.
Rationaleβ
- Protects sensitive data during transit between cluster nodes, mitigating risks of data interception or unauthorized access.
- Aligns with organizational security policies and compliance requirements that mandate encryption of data in transit.
- Enhances overall security posture by ensuring that all inter-node communications within the cluster are encrypted.
Impactβ
- Enabling encryption may introduce a performance penalty due to the computational overhead associated with encrypting and decrypting traffic. This can result in longer query execution times, especially for data-intensive operations.
- Implementing encryption requires creating and managing init scripts, which adds complexity to cluster configuration and maintenance.
... see more
Remediationβ
Remediationβ
Create a JKS keystore:
Generate a Java KeyStore (JKS) file that will be used for SSL/TLS encryption.
Upload the keystore file to a secure directory in DBFS (e.g. /dbfs//jetty_ssl_driver_keystore.jks).
Develop an init script:
Create an init script that performs the following tasks:
- Retrieves the JKS keystore file and password.
- Derives a shared encryption secret from the keystore.
- Configures Spark driver and executor settings to enable encryption.
Example init script:
#!/bin/bash
set -euo pipefail keystore_dbfs_file="/dbfs/<keystore-directory>/jetty_ssl_driver_keystore.jks"
max_attempts=30
while [ ! -f ${keystore_dbfs_file} ]; do
if [ "$max_attempts" == 0 ]; then
echo "ERROR: Unable to find the file : $keystore_dbfs_file. Failing the script."
exit 1
fi
sleep 2s ((max_attempts--))
done
sasl_secret=$(sha256sum $keystore_dbfs_file | cut -d' ' -f1)
if [ -z "${sasl_secret}" ]; then
echo "ERROR: Unable to derive the secret. Failing the script."... see more
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v4.0.0 β πΌ 3.1.3 Ensure that traffic is encrypted between cluster worker nodes (Manual) | 1 | |||
| πΌ Cloudaware Framework β πΌ Data Encryption | 40 |