Ensure Cosmos DB account access is not allowed from all networks

Azure Cosmos DB supports IP-based access controls for inbound firewall support. Allowing access from selected networks only provides an additional level of security to your database.

Risk Level: High
Cloud Entity: Azure Cosmos DB
CloudGuard Rule ID: D9.AZU.NET.63
Covered by Spectral: Yes
Category: Database

GSL LOGIC

CosmosDbAccount should not have ( publicNetworkAccess='Enabled' and isVirtualNetworkFilterEnabled=false and ipRangeFilter isEmpty() )

REMEDIATION

From Portal

  1. Go to 'Azure Cosmos DB' and choose your Cosmos DB account.
  2. Select 'Firewall and virtual networks' on the navigation menu.
  3. Change the 'Allow access from' value to 'Selected networks'.
  4. Save.

From TF
Set the is_virtual_network_filter_enabled' argument to 'true':

resource "azurerm_cosmosdb_account" "db" {
	..
	is_virtual_network_filter_enabled = true
	..
}

From Command Line
Run

az cosmosdb update --name COSMOS DB DATABASE ACCOUNT --resource-group RESOURCE GROUP --enable-virtual-network true

References

  1. https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#is_virtual_network_filter_enabled

Azure Cosmos DB

Azure Cosmos DB is a fully managed database service with turnkey global distribution and transparent multi-master replication. You can run globally distributed, low-latency operational and analytics workloads and AI on transactional data within your database.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset