Description
Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.
Rationaleβ
Selecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database.
Impactβ
WARNING: Failure to whitelist the correct networks will result in a connection loss.
WARNING: Changes to Cosmos DB firewalls may take up to 15 minutes to apply. Ensure that sufficient time is planned for remediation or changes to avoid disruption.
Auditβ
From Azure Portalβ
- Open the portal menu.
- Select the Azure Cosmos DB blade.
- Select a Cosmos DB to audit.
- Select
Networking. - Under
Public network access, ensureSelected networksis selected. - Under
Virtual networks, ensure appropriate virtual networks are configured.
From Azure CLIβ
Retrieve a list of all CosmosDB database names:
az cosmosdb list
For each database listed, run the following command:
az cosmosdb show <database id>
For each database, ensure that isVirtualNetworkFilterEnabled is set to true.
From Azure Policyβ
If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.
- Policy ID: 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb - Name:
Azure Cosmos DB accounts should have firewall rules
Default Valueβ
By default, Cosmos DBs are set to have access all networks.
Referencesβ
- https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints
- https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-vnet-service-endpoint
- https://docs.microsoft.com/en-us/cli/azure/cosmosdb?view=azure-cli-latest#az-cosmosdb-show
- https://docs.microsoft.com/en-us/cli/azure/cosmosdb/database?view=azure-cli-latest#az-cosmosdb-database-list
- https://docs.microsoft.com/en-us/powershell/module/az.cosmosdb/?view=azps-8.1.0
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls