📝 Azure Cosmos DB Account Private Endpoints are not used 🟢

• Contextual name: 📝 Private Endpoints are not used 🟢
• ID: /ce/ca/azure/cosmos-db/private-endpoints-use
• Located in: 📁 Azure Cosmos DB

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: BEST_PRACTICE
• Policy Category:
  • SECURITY

Similar Policies

• Internal
  • dec-x-b4d3d9dc

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-b4d3d9dc	2

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Azure Cosmos DB Account
  • 🔌 Azure Private Endpoint Connection - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Private endpoints limit network traffic to approved sources.

Rationale

For sensitive data, private endpoints allow granular control of which services can communicate with Cosmos DB and ensure that this network traffic is private. You set this up on a case by case basis for each service you wish to be connected.

Impact

Only whitelisted services will have access to communicate with the Cosmos DB.

Audit

From Azure Portal

1. Open the portal menu.
2. Select the Azure Cosmos DB blade.
3. Select the Azure Cosmos DB account.
4. Select Networking.
5. Ensure Public network access is set to Selected networks.
6. Ensure the listed networks are set appropriately.
7. Select Private access.
8. Ensure a private endpoint exists and Connection state is Approved.

From Azure Policy

If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.

• Policy ID: 58440f8a-10c5-4151-bdce-dfbaad4a20b7 - Name: CosmosDB accounts should use private link

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Open the portal menu.
2. Select the Azure Cosmos DB blade.
3. Select the Azure Cosmos DB account.
4. Select Networking.
5. Select Private access.
6. Click + Private Endpoint.
7. Provide a Name.
8. Click Next.
9. From the Resource type drop down, select Microsoft.AzureCosmosDB/databaseAccounts.
10. From the Resource drop down, select the Cosmos DB account.
11. Click Next.
12. Provide appropriate Virtual Network details.
13. Click Next.
14. Provide appropriate DNS details.
15. Click Next.
16. Optionally provide Tags.
17. Click Next : Review + create.
18. Click Create.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 APRA CPG 234 → 💼 36f network design — to ensure authorised network traffic flows and to reduce the impact of security compromises;		28	29
💼 APRA CPG 234 → 💼 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.		34	36
💼 CIS Azure v2.1.0 → 💼 4.5.2 Ensure That Private Endpoints Are Used Where Possible - Level 2 (Automated)		1	1
💼 CIS Azure v3.0.0 → 💼 5.4.2 Ensure That Private Endpoints Are Used Where Possible (Automated)			1
💼 Cloudaware Framework → 💼 Secure Access			43
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	47
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	39
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			47
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			47
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			39
💼 ISO/IEC 27001:2013 → 💼 A.9.1.2 Access to networks and network services		17	18
💼 ISO/IEC 27001:2013 → 💼 A.9.4.1 Information access restriction		19	20
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		17	35
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		43	51
💼 NIST CSF v1.1 → 💼 PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities		21	25
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			58
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			82
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			69
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			67
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		35	39
💼 PCI DSS v3.2.1 → 💼 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.	7	9	11
💼 PCI DSS v4.0.1 → 💼 1.4.1 NSCs are implemented between trusted and untrusted networks.			10
💼 PCI DSS v4.0 → 💼 1.4.1 NSCs are implemented between trusted and untrusted networks.			10
💼 UK Cyber Essentials → 💼 1.2 Prevent access to the administrative interface from the internet		35	37