Skip to main content

πŸ“ Azure Cosmos DB Entra ID Client Authentication is not used 🟒

  • Contextual name: πŸ“ Entra ID Client Authentication is not used 🟒
  • ID: /ce/ca/azure/cosmos-db/entra-id-client-authentication
  • Located in: πŸ“ Azure Cosmos DB

Flags​

Our Metadata​

  • Policy Type: BEST_PRACTICE
  • Policy Category:
    • SECURITY

Similar Policies​

  • Internal
    • dec-x-b4d3d9dc

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-b4d3d9dc2

Description​

Open File

Description​

Cosmos DB can use tokens or Entra ID for client authentication which in turn will use Azure RBAC for authorization. Using Entra ID is significantly more secure because Entra ID handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure.

Rationale​

Entra ID client authentication is considerably more secure than token-based authentication because the tokens must be persistent at the client. Entra ID does not require this.

Audit​

From Powershell​
$cosmosdbname = "<your-cosmos-db-account-name>" $resourcegroup = "<your-resource-group-name>" az cosmosdb show --name $cosmosdbname --resource-group $resourcegroup | ConvertFrom-Json

In the resulting output, disableLocalAuth should be true.

Default Value​

The default is to use tokens/keys for client authentication.

References​

  1. https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control

Remediation​

Open File

Remediation​

Map all the resources that currently access to the Azure Cosmos DB account with keys or access tokens.

Create an Entra ID identity for each of these resources:

  • For Azure resources, you can create a managed identity. You may choose between system-assigned and user-assigned managed identities.
  • For non-Azure resources, create an Entra ID identity. Grant each Entra ID identity the minimum permission it requires. When possible, we recommend you use one of the 2 built-in role definitions: Cosmos DB Built-in Data Reader or Cosmos DB Built-in Data Contributor. Validate that the new resource is functioning correctly. After new permissions are granted to identities, it may take a few hours until they propagate. When all resources are working correctly with the new identities, continue to the next step.

From Powershell​

$cosmosdbname = "<your-cosmos-db-account-name>" $resourcegroup = "<your-resource-group-name>" az cosmosdb show --name $cosmosdbname --resource-group $resourcegroup | ConvertFrom-Json az resource update --ids $cosmosdb.id --set properties.disableLocalAuth=true --latest-include-preview

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36f network design β€” to ensure authorised network traffic flows and to reduce the impact of security compromises;2829
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3436
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 4.5.3 Use Entra ID Client Authentication and Azure RBAC where possible. - Level 1 (Manual)1
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 5.4.3 Use Entra ID Client Authentication and Azure RBAC where possible (Manual)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access43
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3747
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1139
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)39
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.1.2 Access to networks and network services1718
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.4.1 Information access restriction1920
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1735
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4351
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities2125
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties58
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected82
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected69
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3539
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.7911
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.4.1 NSCs are implemented between trusted and untrusted networks.10
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.4.1 NSCs are implemented between trusted and untrusted networks.10
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3537