Unencrypted Data Lake Store accounts
ID |
data_lake_store_encryption |
Severity |
high |
Vendor |
Azure |
Resource |
Data Lake Store |
Tags |
reachable |
Description
Azure Data Lake Store accounts should have encryption enabled.
Azure Data Lake Storage Gen2 is a set of capabilities dedicated to big data analytics, built on Azure Blob Storage. It converges the capabilities of Azure Data Lake Storage Gen1 with Azure Blob Storage.
Data Lake Storage Gen1 supports encryption of data both at rest and in transit. For data at rest, Data Lake Storage Gen1 supports "on by default," transparent encryption.
See Securing data store credentials to learn more about this flaw.
Examples
ARM
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DataLakeStore/accounts",
"apiVersion": "2022-03-01",
"name": "bad", (1)
"location": "[parameters('location')]",
"properties": {
"encryptionState": "Disabled"
}
}
]
}| 1 | Azure Data Lake store account does not enable encryption. |
Mitigation / Fix
Buildtime
ARM
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DataLakeStore/accounts",
"apiVersion": "2022-03-01",
"name": "good", (1)
"location": "[parameters('location')]",
"properties": {
"encryptionState": "Enabled"
}
}
]
}| 1 | Azure Data Lake store account enables encryption. |