Contents

Chapter 1

Overview

This chapter covers the core features and capabilities of Compliance Automation Suite.

Overview

The Compliance Automation Suite provides production-ready tooling for organizations operating

on Databricks and Azure that must satisfy GDPR, SOC 2 Type II, ISO 27001, and the EU NIS2

Directive. Instead of manually assembling evidence and cross-referencing spreadsheets before

every audit cycle, this suite automates the heavy lifting: continuous control verification,

evidence collection, gap analysis, and audit-readiness reporting.

New in v2.0: The suite now includes a comprehensive operational audit module with 9

automated audit scripts covering catalog inventory, job analysis, secret management, compute

costs, storage security, token hygiene, query history, data lineage, and table permissions.

These operational audits use Python standard library only (no pip dependencies) and

produce HTML and JSON reports with findings mapped to compliance frameworks (GDPR, SOC 2,

ISO 27001, NIS2).

Every script is designed as a Databricks notebook or standalone Python module so it slots

directly into existing lakehouse architectures. The control mappings translate regulatory

language into concrete technical controls you can verify programmatically.


What's Included

Control Mappings (mappings/)

FileDescription
gdpr_databricks_controls.mdGDPR articles mapped to Databricks technical controls
soc2_azure_controls.mdSOC 2 Trust Service Criteria mapped to Azure services
iso27001_controls.mdISO 27001:2022 Annex A controls in spreadsheet format
nis2_checklist.mdNIS2 Directive (EU 2022/2555) compliance checklist

Compliance Audit Scripts (scripts/)

FileDescription
access_control_audit.pyAudit workspace ACLs, group memberships, token lifetimes
encryption_verification.pyVerify encryption at rest, in transit, and key management
data_retention_check.pyCheck data lifecycle against retention policies
audit_log_validation.pyValidate audit log completeness and integrity
network_security_check.pyAssess network security posture and segmentation

Operational Audit Module (audits/) — NEW in v2.0

A self-contained Python package with 9 automated audit scripts, a shared API client,

configuration module, and utility library. Zero pip dependencies — uses only Python

standard library (http.client, ssl, json, csv, logging, etc.).

FileDescription
__init__.pyPackage init with ALL_AUDITS registry and AUDIT_REGISTRY dict
config.pyConfiguration via environment variables, API endpoints, thresholds
utils.pyDatabricksApiClient (stdlib), BaseAudit ABC, Finding dataclass
catalog_inventory.pyUnity Catalog schemas, tables, volumes, data classification gaps
job_inventory.pyJob configurations, schedules, failure rates, permission issues
secret_inventory.pySecret scopes, ACLs, secret age and rotation compliance
compute_analysis.pyCluster sizing, cost analysis, idle clusters, autoscaling gaps
external_storage.pyExternal locations, storage credentials, access patterns
token_inventory.pyPAT tokens, age, expiration status, overprivileged tokens
query_history.pySQL query patterns, expensive queries, warehouse utilization
data_lineage.pyTable-level lineage, cross-catalog dependencies, orphaned tables
table_permissions.pyTable/view grants, overprivileged principals, public access

Each audit produces structured Finding objects with:

  • Severity levels (CRITICAL / HIGH / MEDIUM / LOW / INFO)
  • Risk scores for prioritization
  • Compliance framework references (e.g., "GDPR Art. 32", "SOC2 CC6.1", "ISO27001 A.8.2")
  • Actionable remediation recommendations

Report Generators (reports/)

FileDescription
__init__.pyPackage init exposing HtmlReportGenerator, JsonReportGenerator
html_report.pyProfessional HTML report generator (stdlib string.Template)
json_report.pyMachine-readable JSON report for programmatic consumption
templates/audit_report.htmlHTML template with severity charts, findings tables, recommendations

GDPR Toolkit (gdpr/)

FileDescription
dsr_handler.pyData Subject Request handler (access, portability, erasure)
consent_tracking.pyConsent lifecycle tracking integration pattern
dpia_template.mdData Protection Impact Assessment template
ropa_generator.pyRecords of Processing Activities generator

Templates (templates/)

FileDescription
soc2_evidence_binder.mdSOC 2 evidence binder organized by TSC
audit_preparation.md30-day countdown audit preparation guide
scheduling_guide.mdGuide to scheduling automated audits (cron, ADF, Workflows, GitHub Actions)

Dashboards (dashboards/)

FileDescription
compliance_dashboard.sqlReal-time compliance posture SQL dashboard

Orchestration

FileDescription
run_audit.shShell script to run all 9 operational audits with HTML/JSON reporting

Prerequisites

For Compliance Scripts (scripts/, gdpr/, dashboards/)

  • Databricks Workspace (Premium or Enterprise tier recommended)
  • Azure Subscription with Contributor or Reader access for resource enumeration
  • Python 3.9+ with the following packages:
  • databricks-sdk >= 0.20.0
  • azure-identity >= 1.15.0
  • azure-mgmt-resource >= 23.0.0
  • pyspark (available by default in Databricks Runtime)
  • cryptography >= 41.0.0
  • requests >= 2.31.0
  • Unity Catalog enabled (for fine-grained access auditing)
  • Audit Log Delivery configured to a Delta table or storage account

For Operational Audits (audits/, reports/, run_audit.sh)

  • Python 3.10+ (standard library only — no pip install required)
  • Databricks workspace with a valid API token
  • Unity Catalog enabled (recommended for catalog/lineage/permissions audits)
  • Environment variables: DATABRICKS_HOST, DATABRICKS_TOKEN

Chapter 2

Quick Start

Follow this guide to get Compliance Automation Suite up and running in your environment.

Quick Start

Running Operational Audits (New in v2.0)

The fastest way to get started is with the orchestrator script:

bash
# Set required environment variables
export DATABRICKS_HOST='https://your-workspace.cloud.databricks.com'
export DATABRICKS_TOKEN='dapi_YOUR_TOKEN_HERE'
export AUDIT_COMPANY_NAME='Acme Corp'

# Run all 9 operational audits with both HTML and JSON output
chmod +x run_audit.sh
./run_audit.sh --all --format both

To run a specific audit:

bash
# Run only the token inventory audit
./run_audit.sh --audit token_inventory --format json

# Run only compute analysis
./run_audit.sh --audit compute_analysis --format html

#### Available audit IDs for --audit:

IDDescription
catalog_inventoryUnity Catalog inventory and classification
job_inventoryJob configurations and health analysis
secret_inventorySecret scopes and rotation compliance
compute_analysisCluster sizing and cost optimization
external_storageExternal locations and storage credentials
token_inventoryPAT token hygiene and expiration
query_historySQL query patterns and warehouse costs
data_lineageTable lineage and dependency analysis
table_permissionsTable grants and access control review

#### Running from Python directly:

python
import os
import sys

# Ensure the suite root is on the path
sys.path.insert(0, "/path/to/compliance-automation-suite")

from audits.utils import DatabricksApiClient
from audits import ALL_AUDITS, AUDIT_REGISTRY

# Initialize the API client (reads DATABRICKS_HOST and DATABRICKS_TOKEN from env)
client = DatabricksApiClient()

# Run all audits
for audit_cls in ALL_AUDITS:
    audit = audit_cls(client=client)
    result = audit.execute()
    print(f"{audit.audit_name}: {len(result.get('findings', []))} findings")

# Or run a specific audit
TokenInventory = AUDIT_REGISTRY["token_inventory"]
audit = TokenInventory(client=client)
result = audit.execute()

#### Generating reports programmatically:

python
from reports.html_report import HtmlReportGenerator
from reports.json_report import JsonReportGenerator

# After running audits, generate reports
html_gen = HtmlReportGenerator(output_dir="./output")
html_gen.generate(audit_results=results, company_name="Acme Corp")

json_gen = JsonReportGenerator(output_dir="./output")
json_gen.generate(audit_results=results, company_name="Acme Corp")

Running Compliance Scripts

python
# In a Databricks notebook
%run ./scripts/access_control_audit

auditor = AccessControlAuditor(workspace_url="https://adb-xxxx.azuredatabricks.net")
report = auditor.run_full_audit()
report.to_delta("compliance.access_control_audit_results")

Automate with Workflows

Schedule each audit script as a Databricks Workflow job on a cadence that matches your

compliance requirements:

Compliance scripts:

  • Daily: access_control_audit.py, audit_log_validation.py
  • Weekly: encryption_verification.py, network_security_check.py
  • Monthly: data_retention_check.py

Operational audits:

  • Daily: token_inventory, compute_analysis
  • Weekly: catalog_inventory, job_inventory, secret_inventory, external_storage, query_history, table_permissions
  • Monthly: data_lineage

See templates/scheduling_guide.md for detailed cron, ADF, Databricks Workflows, and

GitHub Actions scheduling examples.

Build the Dashboard

Execute dashboards/compliance_dashboard.sql in Databricks SQL to create a real-time

compliance posture dashboard that aggregates findings from all audit scripts.

Handle DSRs

python
from gdpr.dsr_handler import DSRHandler

handler = DSRHandler(catalog="main", schemas=["production", "analytics"])
results = handler.handle_access_request(subject_id="user@example.com")
handler.export_portable_copy(results, format="json")

Architecture

┌─────────────────────────────────────────────────────────────────────────┐
│                    COMPLIANCE AUTOMATION SUITE v2.0                      │
├──────────────────────────┬──────────────────────────────────────────────┤
│  Compliance Layer        │  Operational Audit Layer (NEW)               │
│                          │                                              │
│  scripts/                │  audits/                                     │
│  ├─ access_control       │  ├─ catalog_inventory                       │
│  ├─ encryption           │  ├─ job_inventory                           │
│  ├─ data_retention       │  ├─ secret_inventory                        │
│  ├─ audit_log            │  ├─ compute_analysis                        │
│  └─ network_security     │  ├─ external_storage                        │
│                          │  ├─ token_inventory                         │
│  gdpr/                   │  ├─ query_history                           │
│  ├─ dsr_handler          │  ├─ data_lineage                            │
│  ├─ consent_tracking     │  └─ table_permissions                       │
│  ├─ dpia_template        │                                              │
│  └─ ropa_generator       │  reports/                                    │
│                          │  ├─ html_report.py                           │
│  mappings/               │  ├─ json_report.py                           │
│  ├─ gdpr_controls        │  └─ templates/audit_report.html              │
│  ├─ soc2_controls        │                                              │
│  ├─ iso27001_controls    │  run_audit.sh (orchestrator)                 │
│  └─ nis2_checklist       │                                              │
├──────────────────────────┴──────────────────────────────────────────────┤
│  Shared Infrastructure                                                   │
│  ├─ Control Mappings → Framework references on every finding             │
│  ├─ Delta Lake Tables → Persistent findings store                        │
│  ├─ SQL Dashboard → Real-time compliance posture                         │
│  └─ Evidence Binder → Audit-ready documentation                          │
└─────────────────────────────────────────────────────────────────────────┘

How the layers work together

1. Operational audits discover your actual infrastructure state (what exists, how it's

configured, what's at risk)

2. Compliance scripts verify that infrastructure meets regulatory requirements (is

encryption enabled? are logs retained long enough?)

3. Control mappings tie both layers back to specific regulatory articles and controls

4. Reports present findings with compliance framework references for auditor consumption

5. Dashboard provides a real-time compliance posture view


Configuration

Operational Audit Configuration

The operational audit module is configured via environment variables. All settings have

sensible defaults. See audits/config.py for the complete reference.

VariableDefaultDescription
DATABRICKS_HOST*(required)*Workspace URL (e.g., https://adb-xxxx.azuredatabricks.net)
DATABRICKS_TOKEN*(required)*API token (PAT or service principal)
AUDIT_OUTPUT_DIR./outputDirectory for report output
AUDIT_LOG_LEVELINFOLogging level (DEBUG, INFO, WARNING, ERROR)
AUDIT_COMPANY_NAMEOrganizationCompany name for reports
AUDIT_TOKEN_MAX_AGE_DAYS90Maximum acceptable PAT age
AUDIT_CLUSTER_MAX_IDLE_MINUTES60Maximum acceptable cluster idle time
AUDIT_SQL_HISTORY_LOOKBACK_DAYS30How far back to analyze SQL history

Compliance Script Configuration

All compliance scripts accept configuration via environment variables or a

compliance_config.json file placed in the workspace root:

json
{
  "workspace_url": "https://adb-xxxx.azuredatabricks.net",
  "catalog": "main",
  "findings_schema": "compliance",
  "retention_policy_table": "compliance.retention_policies",
  "alert_webhook_url": "https://hooks.example.com/services/YOUR_WEBHOOK_HERE",
  "max_token_lifetime_days": 90,
  "required_encryption_algorithm": "AES-256",
  "audit_log_retention_days": 365
}

Chapter 3
🔒 Available in full product

Compliance Frameworks Covered

Chapter 4
🔒 Available in full product

License

You’ve reached the end of the free preview

Get the full Compliance Automation Suite and unlock everything.

All Chapters

Get the complete guide with every chapter unlocked, including code samples, diagrams, and best practices.

Full Tool Suite

Access all interactive tools with complete data, all workload profiles, and the full scenario library.

Source Files

Downloadable source code, configuration files, and working examples from every chapter.

Lifetime Updates

Free updates for life. Every new chapter, tool, and improvement included.

Buy Now — $89 →
📦 Free sample included — download another copy for the full product.
Compliance Automation Suite v1.0.0 — Free Preview