Azure Synapse Workspace vulnerability assessment is disabled
Description
This policy checks whether the 'Vulnerability Assessment' setting in Azure Synapse workspaces is disabled. The Vulnerability Assessment service scans Synapse workspaces for known security vulnerabilities, highlighting deviations from best practices, including misconfigurations, excessive permissions, and unprotected sensitive data. It is recommended to enable the Vulnerability Assessment on Synapse workspaces for enhanced security.
Code Example
go
resource "azurerm_synapse_workspace" "synapse_ws_pass_1" {
...
}
resource "azurerm_synapse_workspace_security_alert_policy" "synapse_ws_policy_1" {
synapse_workspace_id = azurerm_synapse_workspace.synapse_ws_pass_1.id
policy_state = "Enabled"
...
}
resource "azurerm_synapse_workspace_vulnerability_assessment" "va_pass" {
workspace_security_alert_policy_id = azurerm_synapse_workspace_security_alert_policy.synapse_ws_policy_1.id
...
recurring_scans {
enabled = true
}
}Remediation
Terraform
- Resource: azurerm_synapse_workspace_security_alert_policy, azurerm_synapse_workspace, azurerm_synapse_workspace_vulnerability_assessment
- Arguments: workspace_security_alert_policy_id
To fix this issue, enable the 'Vulnerability Assessment' setting in your Azure Synapse workspace.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0803 |
| Severity | MEDIUM |
| IaC Type | arm |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AZURE_46 |