You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
34,NS-2,Network Security,Public keys for job cluster,-1,High,"Remote SSH access to clusters is discouraged, use web terminal instead",1,1,1,1,0,Check if ssh_public_keys is configured on any job cluster,curl --netrc -X GET \ https://<workspace_url>/api/2.0/jobs/list \ | jq,https://docs.databricks.com/clusters/web-terminal.html,https://learn.microsoft.com/en-us/azure/databricks/clusters/web-terminal,https://docs.gcp.databricks.com/clusters/web-terminal.html
36
36
35,NS-3,Network Security,Front-end private connectivity,-1,High,"Configure private network connectivity for accessing the web application and REST APIs. You can configure AWS PrivateLink, Azure Private Link, or Google Private Service Connect. Note that enabling and requiring front-end private connectivity are different, see the documentation for details.",1,1,1,1,0,Check if private_access_settings_id is set for the workspace,curl -n -X GET 'https://accounts.cloud.databricks.com/api/2.0/accounts/<account_id>/workspaces',https://docs.databricks.com/administration-guide/cloud-configurations/aws/privatelink.html,https://learn.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/private-link,https://cloud.google.com/vpc/docs/private-access-options
37
37
36,NS-4,Network Security,"Workspace uses a customer-managed VPC (AWS, GCP) or enables VNet injection (Azure)",-1,Medium,"Deploy with a customer-managed VPC (AWS, GCP) or use VNet injection (Azure) to help enforce data exfiltration protections",1,1,1,1,0,Check if network_id is set for this workspace,curl -n -X GET 'https://accounts.cloud.databricks.com/api/2.0/accounts/<account_id>/workspaces',https://docs.databricks.com/administration-guide/cloud-configurations/aws/customer-managed-vpc.html,https://learn.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject,https://docs.gcp.databricks.com/administration-guide/cloud-configurations/gcp/customer-managed-vpc.html
38
-
37,NS-5,Network Security,IP access lists for workspace access,-1,Medium,Configure IP access lists for workspaces that restrict the IP addresses that can authenticate to help protect against data exfiltration and account takeover,1,1,1,1,0,Check if ip-access-lists are configured and enabled,curl --netrc -X GET \ https://<workspace_url>/api/2.0/ip-access-lists,https://docs.databricks.com/security/network/ip-access-list.html#add-an-ip-access-list,https://learn.microsoft.com/en-us/azure/databricks/administration-guide/access-control/tokens#--set-maximum-lifetime-of-new-tokens-rest-api-only,https://docs.gcp.databricks.com/security/network/ip-access-list.html
38
+
37,NS-5,Network Security,IP access lists for workspace access,-1,Medium,Configure IP access lists for workspaces that restrict the IP addresses that can authenticate to help protect against data exfiltration and account takeover,1,1,1,1,0,Check if ip-access-lists are configured and enabled,curl --netrc -X GET \ https://<workspace_url>/api/2.0/ip-access-lists,https://docs.databricks.com/security/network/ip-access-list.html#add-an-ip-access-list,https://learn.microsoft.com/en-us/azure/databricks/security/network/front-end/ip-access-list,https://docs.gcp.databricks.com/security/network/ip-access-list.html
39
39
38,IA-5,Identity & Access,Maximum lifetime of new tokens to something other than unlimited,-1,Medium,Configure maximum lifetime for all future tokens to a value other than unlimited,1,1,1,1,0,Check workspace-conf for maxTokenLifetimeDays In Workspace setting,curl -n -X GET 'https://<workspace_url>/api/2.0/preview/workspace-conf?keys=maxTokenLifetimeDays',https://docs.databricks.com/administration-guide/access-control/tokens.html#lifetime,https://learn.microsoft.com/en-us/azure/databricks/administration-guide/access-control/tokens#--set-maximum-lifetime-of-new-tokens-rest-api-only,https://docs.gcp.databricks.com/administration-guide/access-control/tokens.html#lifetime
40
40
39,NS-6,Network Security,Secure cluster connectivity (on Azure this is also called NoPublicIp),-1,Medium,"Configure secure cluster connectivity (On Azure, this is called NoPublicIP / NPIP)",0,1,0,1,0,Check if enableNoPublicIp are configured and enabled,curl --netrc -X GET \ https://accounts.azuredatabricks.net/api/2.0/accounts/<account_id>/workspaces,N/A,https://learn.microsoft.com/en-us/azure/databricks/security/secure-cluster-connectivity,
41
41
40,GOV-13,Governance,Enforce User Isolation,-1,Medium,Enforce user isolation cluster types on a workspace,1,1,1,1,0,Check workspace-conf for enforceUserIsolation In Workspace setting,curl -n -X GET 'https://<workspace_url>/api/2.0/preview/workspace-conf?keys= enforceUserIsolation',https://docs.databricks.com/security/enforce-user-isolation.html,https://learn.microsoft.com/en-us/azure/databricks/security/enforce-user-isolation,https://docs.gcp.databricks.com/security/enforce-user-isolation.html
0 commit comments