🛡️ Azure Cosmos DB Entra ID Client Authentication is not used🟢⚪

Contextual name: 🛡️ Entra ID Client Authentication is not used🟢⚪
ID: /ce/ca/azure/cosmos-db/entra-id-client-authentication
Tags:
- ⚪ Impossible policy
- 🟢 Policy with categories
- 🟢 Policy with type
Policy Type: BEST_PRACTICE
Policy Categories: SECURITY

Similar Policies

Internal: dec-x-b4d3d9dc

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-b4d3d9dc	2

Description

Open File

Description

Cosmos DB can use tokens or Entra ID for client authentication which in turn will use Azure RBAC for authorization. Using Entra ID is significantly more secure because Entra ID handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure.

Rationale

Entra ID client authentication is considerably more secure than token-based authentication because the tokens must be persistent at the client. Entra ID does not require this.

Audit

From Powershell
$cosmosdbname = "<your-cosmos-db-account-name>" $resourcegroup = "<your-resource-group-name>" az cosmosdb show --name $cosmosdbname --resource-group $resourcegroup | ConvertFrom-Json
In the resulting output, disableLocalAuth should be true.

Default Value

The default is to use tokens/keys for client authentication.

References

https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control

Remediation

Open File

Remediation

Map all the resources that currently access to the Azure Cosmos DB account with keys or access tokens.

Create an Entra ID identity for each of these resources:

For Azure resources, you can create a managed identity. You may choose between system-assigned and user-assigned managed identities.

For non-Azure resources, create an Entra ID identity. Grant each Entra ID identity the minimum permission it requires. When possible, we recommend you use one of the 2 built-in role definitions: Cosmos DB Built-in Data Reader or Cosmos DB Built-in Data Contributor. Validate that the new resource is functioning correctly. After new permissions are granted to identities, it may take a few hours until they propagate. When all resources are working correctly with the new identities, continue to the next step.

From Powershell
$cosmosdbname = "<your-cosmos-db-account-name>" $resourcegroup = "<your-resource-group-name>" az cosmosdb show --name $cosmosdbname --resource-group $resourcegroup | ConvertFrom-Json az resource update --ids $cosmosdb.id --set properties.disableLocalAuth=true --latest-include-preview

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 APRA CPG 234 → 💼 36f network design — to ensure authorised network traffic flows and to reduce the impact of security compromises;		29	30	no data
💼 APRA CPG 234 → 💼 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.		35	37	no data
💼 CIS Azure v2.1.0 → 💼 4.5.3 Use Entra ID Client Authentication and Azure RBAC where possible. - Level 1 (Manual)			1	no data
💼 CIS Azure v3.0.0 → 💼 5.4.3 Use Entra ID Client Authentication and Azure RBAC where possible (Manual)			1	no data
💼 Cloudaware Framework → 💼 Secure Access			57	no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	68	no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	48	no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			68	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			68	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			48	no data
💼 ISO/IEC 27001:2013 → 💼 A.9.1.2 Access to networks and network services		17	18	no data
💼 ISO/IEC 27001:2013 → 💼 A.9.4.1 Information access restriction		19	20	no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		17	56	no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91	no data
💼 NIST CSF v1.1 → 💼 PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities		21	30	no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			116	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			148	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			125	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			142	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	48	no data
💼 PCI DSS v3.2.1 → 💼 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.	7	8	30	no data
💼 PCI DSS v4.0.1 → 💼 1.4.1 NSCs are implemented between trusted and untrusted networks.			19	no data
💼 PCI DSS v4.0 → 💼 1.4.1 NSCs are implemented between trusted and untrusted networks.		7	19	no data
💼 SOC 2 → 💼 CC6.1-6 Manages Points of Access		5	7	no data
💼 SOC 2 → 💼 CC6.1-8 Manages Identification and Authentication		18	24	no data
💼 UK Cyber Essentials → 💼 1.2 Prevent access to the administrative interface from the internet		36	38	no data

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Audit​

From Powershell​

Default Value​

References​

Remediation​

Remediation​

From Powershell​

policy.yaml​

Linked Framework Sections​

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Audit

From Powershell

Default Value

References

Remediation

Remediation

From Powershell

policy.yaml

Linked Framework Sections