Risk Level: High
Cloud Entity: Azure Cosmos DB
CloudGuard Rule ID: D9.AZU.NET.62
Covered by Spectral: Yes
Category: Database

GSL LOGIC

CosmosDbAccount should have publicNetworkAccess='Disabled'

REMEDIATION

From TF
Set the 'public_network_access_enabled' argument to 'false':

resource "azurerm_cosmosdb_account" "db" {
	..
	public_network_access_enabled = false
	..
}

From Command Line
Run

az cosmosdb update --name COSMOS DB DATABASE ACCOUNT --resource-group  RESOURCE GROUP --enable-public-network false

References

Azure Cosmos DB

Azure Cosmos DB is a fully managed database service with turnkey global distribution and transparent multi-master replication. You can run globally distributed, low-latency operational and analytics workloads and AI on transactional data within your database.

Compliance Frameworks

Azure CIS Foundations v. 1.5.0
Azure CIS Foundations v.2.0
Azure CSA CCM v.4.0.1
Azure CloudGuard Best Practices
Azure HITRUST v9.5.0
Azure NIST 800-53 Rev 5
CloudGuard Azure All Rules Ruleset