Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
Disabling public network access ensures your Cosmos DB account isn't exposed to the public internet.
Risk Level: High
Cloud Entity: Azure Cosmos DB
CloudGuard Rule ID: D9.AZU.NET.62
Covered by Spectral: Yes
Category: Database
GSL LOGIC
CosmosDbAccount should have publicNetworkAccess='Disabled'
REMEDIATION
From TF
Set the 'public_network_access_enabled' argument to 'false':
resource "azurerm_cosmosdb_account" "db" {
..
public_network_access_enabled = false
..
}
From Command Line
Run
az cosmosdb update --name COSMOS DB DATABASE ACCOUNT --resource-group RESOURCE GROUP --enable-public-network false
References
- https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#public_network_access_enabled
Azure Cosmos DB
Azure Cosmos DB is a fully managed database service with turnkey global distribution and transparent multi-master replication. You can run globally distributed, low-latency operational and analytics workloads and AI on transactional data within your database.
Compliance Frameworks
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CSA CCM v.4.0.1
- Azure CloudGuard Best Practices
- Azure HITRUST v9.5.0
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago