Detections
Analytics

3.1.6 Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens

Information

Databricks personal access tokens (PATs) provide API-based authentication for users and applications. By default, users can generate API tokens without expiration, leading to potential security risks if tokens are leaked, improperly stored, or not rotated regularly.

To mitigate these risks, administrators should:

 - Restrict token creation to approved users and service principals.
 - Enforce expiration policies to prevent long-lived tokens.
 - Monitor token usage and revoke unused or compromised tokens.

Restricting usage and enforcing expiry for personal access tokens reduces exposure to long-lived tokens, minimizes the risk of API abuse if compromised, and aligns with security best practices through controlled issuance and enforced expiry.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Remediate from Azure Portal

Disable personal access tokens:

If your workspace does not require PATs, you can disable them entirely to prevent their use.

 - Navigate to your Azure Databricks workspace.
 - Click the Settings icon and select Admin Console
 - Go to the Advanced tab.
 - Under Personal Access Tokens toggle the setting to Disabled

Databricks CLI:

databricks workspace-conf set-status --json '{"enableTokens": "false"}'

Control who can create and use personal access tokens:

Define which users or groups are authorized to create and utilize PATs.

 - Navigate to your Azure Databricks workspace.
 - Click the Settings icon and select Admin Console
 - Go to the Advanced tab.
 - Click on Personal Access Tokens and then Permissions
 - Assign the appropriate permissions (e.g. No Permissions, Can Use, Can Manage) to users or groups.

Set maximum lifetime for new personal access tokens:

Limit the validity period of new tokens to reduce potential misuse.

Databricks CLI:

databricks workspace-conf set-status --json '{"maxTokenLifetimeDays": "90"}'

Monitor and revoke personal access tokens:

Periodically review active tokens and revoke any that are unnecessary or potentially compromised.

Databricks CLI:

databricks token list databricks token delete --token-id <token-id>

Transition to OAuth for enhanced security:

Utilize OAuth tokens for authentication, offering improved security features over PATs.

Impact:

If revoked improperly, applications relying on these tokens may fail, requiring a remediation plan for token rotation. Increased administrative effort is required to track and manage API tokens effectively.

See Also

https://workbench.cisecurity.org/benchmarks/19304

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-1, 800-53|AC-2, 800-53|AC-2(1), CSCv7|16.7

Plugin: microsoft_azure

Control ID: c427508f3636beba8c6f68906ec904e1b2074cc881fe962c742535e22cee0632