Ensure system-assigned managed identity authentication is used for Azure Data Factory

MEDIUM

Description

Azure Data Factory accounts do not use system-assigned managed identity authentication, which may lead to use of insecure credentials such as passwords or connection strings.

Remediation

Microsoft has provided detailed guidance on how to create and use Managed Identities with Active Directory for Data Factory. To learn how to create the appropriate prerequisites, then launch the services you require, see the Azure documentation below. Once the identity prerequisites are configured, you can also use Terraform.

In Azure Console -

Open the Azure Portal and go to Data factories.
Select the Data factory you wish to edit.
Under Settings, choose Managed identities.
On the System Assigned tab set the Status to On and configure as needed.

In Terraform -

In the azurerm_data_factory resource, create an identity block.
Set the type to SystemAssigned and add a list of identity_ids as needed.

References:
https://learn.microsoft.com/en-us/azure/data-factory/data-factory-service-identity
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/data_factory#identity

Policy Details

Rule Reference ID: AC_AZURE_0253

CSP: Azure

Remediation Available: Yes

Domain: Infrastructure Security

Resource: azurerm_data_factory

Resource Category: Analytics

Resource Type: Data Factory

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF