Ensure Cosmos DB account access is not allowed from all networks
Azure Cosmos DB supports IP-based access controls for inbound firewall support. Allowing access from selected networks only provides an additional level of security to your database.
Risk Level: High
Cloud Entity: Azure Cosmos DB
CloudGuard Rule ID: D9.AZU.NET.63
Covered by Spectral: Yes
Category: Database
GSL LOGIC
CosmosDbAccount should not have ( publicNetworkAccess='Enabled' and isVirtualNetworkFilterEnabled=false and ipRangeFilter isEmpty() )
REMEDIATION
From Portal
- Go to 'Azure Cosmos DB' and choose your Cosmos DB account.
- Select 'Firewall and virtual networks' on the navigation menu.
- Change the 'Allow access from' value to 'Selected networks'.
- Save.
From TF
Set the is_virtual_network_filter_enabled' argument to 'true':
resource "azurerm_cosmosdb_account" "db" {
..
is_virtual_network_filter_enabled = true
..
}
From Command Line
Run
az cosmosdb update --name COSMOS DB DATABASE ACCOUNT --resource-group RESOURCE GROUP --enable-virtual-network true
References
- https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#is_virtual_network_filter_enabled
Azure Cosmos DB
Azure Cosmos DB is a fully managed database service with turnkey global distribution and transparent multi-master replication. You can run globally distributed, low-latency operational and analytics workloads and AI on transactional data within your database.
Compliance Frameworks
- AZU PCI-DSS 4.0
- Azure CloudGuard Best Practices
- Azure HITRUST v9.5.0
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago