Data Factory - oWretch/policy GitHub Wiki
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Data Factory |
Azure data factories should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Data Factory |
Azure Data Factory linked services should use Key Vault for storing secrets To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Data Factory |
Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Data Factory |
Azure Data Factory should use a Git repository for source control Configure only your development data factory with Git integration. Changes to test and production should be deployed via CI/CD and should NOT have Git integration. DO NOT apply this policy on your QA / Test / Production data factories. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Data Factory |
Configure Data Factories to disable public network access Disable public network access for your Data Factory so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. |
Modify Disabled |
Modify Disabled |
|||||||
| Data Factory |
Configure private DNS zones for private endpoints that connect to Azure Data Factory Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link. |
DeployIfNotExists Disabled |
||||||||
| Data Factory |
Configure private DNS zones for private endpoints that connect to Azure Data Factory Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link. |
DeployIfNotExists Disabled |
||||||||
| Data Factory |
Public network access on Azure Data Factory should be disabled Disabling the public network access property improves security by ensuring your Azure Data Factory can only be accessed from a private endpoint. |
Deny Disabled Audit |
||||||||
| Data Factory |
SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. |
Deny Disabled Audit |
Deny Disabled Audit |
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Data Factory |
Configure private DNS zones for private endpoints that connect to Azure Data Factory Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link. |
azureDataFactoryPrivateDnsZoneId = --DNSZonePrefix--privatelink.datafactor...
|
||||||||
| Data Factory |
Configure private DNS zones for private endpoints that connect to Azure Data Factory Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link. |
azureDataFactoryPortalPrivateDnsZoneId = --DNSZonePrefix--privatelink.adf.azure.com
|