Skip to main content

FAQ

SAT Deployment and Support

  1. Is SAT an officially supported tool?

    The Security Assessment Tool (SAT) is not officially supported by Databricks. It is provided as-is under the Databricks License, with no guarantees or Service Level Agreements (SLAs). Please do not open support tickets for issues related to SAT. Instead, report any problems or feature requests by creating a GitHub Issue on the project's repository. Issues will be reviewed as time permits. All third-party libraries referenced are subject to their respective licenses.

  2. Can I open Databricks support tickets if I encounter issues with SAT?

    Currently, SAT is a self-service tool which is developed and maintained by the Databricks field team. If you encounter any issues, please contact your Databricks account team and submit a GitHub issue on the project's repository.

  3. Can SAT be configured on an independent virtual machine?

    SAT needs to be deployed in one of your Databricks workspaces and run as a workflow. You can trigger the SAT installation process from any machine (preferably Linux) where the Databricks CLI and other prerequisites are available, installed and configured.

  4. Does SAT automatically update once I set up?

    SAT is frequently updated and the latest versions are made available in the official GitHub repository. SAT deployments do not automatically update on their own. To upgrade or update SAT deployments in your environment, you will need to perform the update manually. This design decision is by choice, so that customers have full control on the upgrade process of SAT.

  5. Can SAT make modifications to my workspaces and account?

    SAT is meant to be a read-only analysis tool - it does not make changes to your workspace or account configurations.

  6. I am seeing errors when I run the SAT. How can I validate my SAT configuration?

    There are diagnostic notebooks available to help you verify if your SAT setup has the necessary configurations, permissions, and network paths to run the REST API calls. Please use “Workspace -> Applications -> SAT/TF -> Files -> Notebooks -> Diagnosis” to find the appropriate notebook for your cloud provider.

  7. If SAT is already configured, how do we add/remove other workspaces in the same account/subscription?

    If the service principal configured for SAT has access to any workspaces in the account or subscription, SAT will automatically collect data from those workspaces. To include or exclude workspaces, simply add or remove the service principal from the desired workspaces and rerun the initialization job to update SAT's workspace list.

  8. If a workspace is deleted after the SAT is set up, is there a way to get the initializer to run without error without a full reinstall of the tool?

    To stop assessing a workspace, you can re-run the initializer. This will mark the workspace connection test as failed, and it will no longer be included in future assessments. Alternatively, you can run the removal step to manually remove the workspace from SAT.

  9. I added a new workspace for analysis, re-ran steps under initialize and driver, but the dashboard is not updated with the new workspace in the pulldown even though I see new data generated by the analysis scan for the new workspace in SAT database. What should I do?

    It is likely that the dashboard cached the workspaces in the pulldown. You can go to the SQL view of your workspace -> Queries -> find workspace_ids query and run it. This process should refresh the cache and you should have the new workspaces in the pull-down.

  10. Can I use one deployment of SAT to monitor all my workspaces across different clouds, like AWS and Azure?

    A single SAT deployment in AWS can monitor all workspaces within the same AWS account. Similarly, a single SAT deployment in Azure can monitor all workspaces within the same Azure subscription. Monitoring workspaces across multiple cloud platforms with a single SAT deployment is currently not supported.

  11. Do I need different SAT deployment to monitor workspaces in different regions?

    A single SAT deployment in AWS can monitor all workspaces — regardless of region — within the same AWS account. Similarly, a single SAT deployment in Azure can monitor all workspaces across any region within the same Azure subscription.

  12. Can SAT be integrated with other cloud based monitoring tools?

    This is not currently supported. SAT is a security monitoring tool designed specifically for Databricks workspaces. However, you can use the provided export notebook to extract SAT results, which may be used with other tools as needed.

  13. Is SAT supported on AWS GovCloud?

    SAT is currently not supported on AWS GovCloud.

SAT Checks

  1. Does SAT test for all of the Databricks Security best practices?

    We are continuously improving SAT, with most checks aligned to security best practices. However, not all recommendations are included — some are cloud-specific, and others cannot be automated due to the lack of supporting REST APIs.

  2. What do the severity labels specifically mean on the SAT configs? How does one interpret them?

    The severity levels in the SAT report reflect our general assessment of the potential impact of each check, helping most customers prioritize remediation—starting with those marked as High severity. However, individual organizations should evaluate the relevance of each finding and adjust prioritization based on their specific security requirements.

  3. Can I disable a check for my assessment?

    Yes, this is possible. To modify the security best practices checked by SAT, follow the optional step: Navigate to Workspace > Applications > SAT/TF > Files > Notebooks > Setup > 7. update_sat_check_configuration. Use this notebook to enable or disable checks, and adjust evaluation and alert configuration values. You can update this configuration at any time, and all subsequent analyses will reflect your changes.

SAT Reports

  1. Do we need to address all of the deviations reported by SAT?

    Please review the SAT report with your business stakeholders, administrators, security team and auditors. Assess your organizational security requirements carefully before making changes based on the report - not all deviations require mitigation. Some recommendations may have cost implications, and some of the security recommendations may have dependency limitations. Always thoroughly review the associated feature documentation before modifying your security configurations.

  2. Why are SSO, SCIM, Table ACLs etc not properly reflected in the SAT report?

    There are a few checks that rely on self-assessment due to the lack of REST APIs to automatically check them. Please go to “Workspace -> Applications -> SAT -> Files -> self_assessment_checks.yaml” and ensure the 'enabled' values reflect your environment for the listed manual checks with either true or false. SAT will automatically check the rest of the configurations. Rerun the SAT jobs.