Control Reference

Enhanced Security and Compliance Add-on

HIGHSecurity InfrastructureLow Complexity1-2 hours (plus maintenance window for cluster restarts)

SC-001

Description

Enable the Databricks Enhanced Security and Compliance add-on to activate the Compliance Security Profile (hardened OS image, enforced AWS Nitro instances, TLS 1.2+ egress), Enhanced Security Monitoring agents (OS-level logs delivered to audit S3), and Automatic Cluster Update (automated patching). Required for FedRAMP High; strongly recommended for HIPAA and PCI-DSS.

Prerequisites

▸Unity Catalog enabled (UC-001) — audit log delivery requires UC audit logging foundation
▸Audit log delivery to S3 configured (UC-001) — monitoring agent output goes to the same bucket
▸Signed BAA with Databricks if enabling HIPAA compliance standard
▸Maintenance window planned — enabling triggers immediate cluster restarts
▸Budget approval — this is a paid add-on charged per the Enhanced Security and Compliance pricing