Detections
Analytics

Ensure data exfiltration protection is enabled for Azure Synapse Workspace

MEDIUM

Description

When creating a new Azure Synapse workspace, exfiltration protection can be enabled. This will use a managed virtual network and private endpoints to the dedicated SQL pools so that only authorized access is allowed. Disallowing public access is typically considered best practice, and this will provide an extra level of security.

Remediation

Because the Data Exfiltration feature requires a managed virtual network, the workspace Data Exfiltration settings cannot be changed after the workspace is created; a new resource must be created to enable the function. To do so, follow the steps below.

In Azure Console -

  1. Open the Azure Portal and go to Synapse Analytics.
  2. Create a new workspace.
  3. On the Network tab, set Managed virtual network to Enabled.
  4. Set Allow outbound data traffic only to approved targets to Yes and configure as needed.

In Terraform -

  1. In the azurerm_synapse_workspace resource, set data_exfiltration_protection_enabled to true.
  2. Set managed_virtual_network_enabled to true.

References:
https://learn.microsoft.com/en-us/azure/synapse-analytics/security/workspace-data-exfiltration-protection
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/synapse_workspace#data_exfiltration_protection_enabled

Policy Details

Rule Reference ID: AC_AZURE_0345
CSP: Azure
Remediation Available: Yes
Domain: Data Protection
Resource: azurerm_synapse_workspace
Resource Category: Analytics
Resource Type: Synapse

Frameworks