Synapse - oWretch/policy GitHub Wiki
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Synapse |
Azure Synapse Workspace SQL Server should be running TLS version 1.2 or newer Setting TLS version to 1.2 or newer improves security by ensuring your Azure Synapse workspace SQL server can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. |
Deny Disabled Audit |
||||||||
| Synapse |
Azure Synapse workspaces should allow outbound data traffic only to approved targets Increase security of your Synapse workspace by allowing outbound data traffic only to approved targets. This helps prevention against data exfiltration by validating the target before sending data. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Synapse |
Azure Synapse workspaces should disable public network access Disabling public network access improves security by ensuring that the Synapse workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your Synapse workspaces. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. |
Deny Disabled Audit |
||||||||
| Synapse |
Azure Synapse workspaces should use customer-managed keys to encrypt data at rest Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Synapse |
Configure Azure Synapse Workspace Dedicated SQL minimum TLS version Customers can raise or lower the minimal TLS version using the API, for both new Synapse workspaces or existing workspaces. So users who need to use a lower client version in the workspaces can connect while users who has security requirement can raise the minimum TLS version. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. |
Modify Disabled |
Modify Disabled |
|||||||
| Synapse |
Configure Azure Synapse workspaces to disable public network access Disable public network access for your Synapse workspace so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. |
Modify Disabled |
Modify Disabled |
|||||||
| Synapse |
Configure Azure Synapse workspaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network#appendix-dns-registration-for-private-endpoint. |
DeployIfNotExists Disabled |
||||||||
| Synapse |
Configure Azure Synapse workspaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network#appendix-dns-registration-for-private-endpoint. |
DeployIfNotExists Disabled |
||||||||
| Synapse |
Configure Azure Synapse workspaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network#appendix-dns-registration-for-private-endpoint. |
DeployIfNotExists Disabled |
||||||||
| Synapse |
Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation Require and reconfigure Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. |
Modify Disabled |
Modify Disabled |
|||||||
| Synapse |
IP firewall rules on Azure Synapse workspaces should be removed Removing all IP firewall rules improves security by ensuring your Azure Synapse workspace can only be accessed from a private endpoint. This configuration audits creation of firewall rules that allow public network access on the workspace. |
Audit Disabled |
Audit Disabled |
|||||||
| Synapse |
Managed workspace virtual network on Azure Synapse workspaces should be enabled Enabling a managed workspace virtual network ensures that your workspace is network isolated from other workspaces. Data integration and Spark resources deployed in this virtual network also provides user level isolation for Spark activities. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Synapse |
Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants Protect your Synapse workspace by only allowing connections to resources in approved Azure Active Directory (Azure AD) tenants. The approved Azure AD tenants can be defined during policy assignment. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Synapse |
Synapse Workspaces should have Microsoft Entra-only authentication enabled Require Synapse Workspaces to use Microsoft Entra-only authentication. This policy doesn't block workspaces from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. |
Audit Deny Disabled |
||||||||
| Synapse |
Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation Require Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Synapse |
Configure Azure Synapse workspaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network#appendix-dns-registration-for-private-endpoint. |
azureSynapseDevPrivateDnsZoneId = --DNSZonePrefix--privatelink.dev.azures...
|
||||||||
| Synapse |
Configure Azure Synapse workspaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network#appendix-dns-registration-for-private-endpoint. |
azureSynapseSQLODPrivateDnsZoneId = --DNSZonePrefix--privatelink.sql.azures...
|
||||||||
| Synapse |
Configure Azure Synapse workspaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network#appendix-dns-registration-for-private-endpoint. |
azureSynapseSQLPrivateDnsZoneId = --DNSZonePrefix--privatelink.sql.azures...
|
||||||||
| Synapse |
Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants Protect your Synapse workspace by only allowing connections to resources in approved Azure Active Directory (Azure AD) tenants. The approved Azure AD tenants can be defined during policy assignment. |
synapseAllowedTenantIds = ["[subscription().tenantId]"]
|
synapseAllowedTenantIds = ["[subscription().tenantId]"]
|