Azure Databricks Workspaces not using customer-managed key for root DBFS encryption
Description
This policy checks whether Databricks Workspaces leverage a customer-managed key for root DBFS encryption. DBFS (Databricks File System) is the distributed file system used by Databricks clusters. Encrypting the root DBFS adds an extra layer of security, ensuring that even in the event of unauthorized access, the data remains inaccessible and secure. Customer-managed keys enhance security by giving you control over encryption, strengthening your security posture.
Code Example
go
resource "azurerm_databricks_workspace" "databricks_workspace_good" {
...
customer_managed_key_enabled = true
}
resource "azurerm_databricks_workspace_root_dbfs_customer_managed_key" "databricks_workspace_good" {
workspace_id = azurerm_databricks_workspace.databricks_workspace_good.id
key_vault_key_id = "123456"
}Remediation
Terraform
- Resource: azurerm_databricks_workspace,azurerm_databricks_workspace_root_dbfs_customer_managed_key
- Arguments: sku,customer_managed_key_enabled
Set the `customer_managed_key_enabled` attribute to `true` during Azure Databricks workspace creation. This enables customer-managed key encryption for your DBFS root data at rest.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0805 |
| Severity | LOW |
| IaC Type | arm |
| Frameworks | Terraform, TerraformPlan, ARM, Bicep |
| Checkov ID | CKV2_AZURE_48 |