rules/findings/Azure/Databases/CosmosDB/CIS3.0/azure-cosmosdb-all-networks-enabled.json
|
{
"args": [ ], "provider": "Azure", "serviceType": "CosmosDB", "serviceName": "Databases", "displayName": "Ensure That \u0027Firewalls \u0026 Networks\u0027 Is Limited to Use Selected Networks Instead of All Networks", "description": "Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.", "rationale": "Selecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database.", "impact": "\r\n\t\t*WARNING* : Failure to whitelist the correct networks will result in a connection loss. \r\n\t\t*WARNING* : Changes to Cosmos DB firewalls may take up to 15 minutes to apply. Ensure that sufficient time is planned for remediation or changes to avoid disruption. \r\n ", "remediation": { "text": "\r\n\t\t\t###### Remediate from Azure Portal \r\n\t\t\t1. Open the portal menu. \r\n\t\t\t2. Select the Azure Cosmos DB blade. \r\n\t\t\t3. Select a Cosmos DB account to audit. \r\n\t\t\t4. Select Networking. \r\n\t\t\t5. Under Public network access, select Selected networks. \r\n\t\t\t6. Under Virtual networks, select + Add existing virtual network or + Add a new virtual network. \r\n\t\t\t7. For existing networks, select subscription, virtual network, subnet and click Add. For new networks, provide a name, update the default values if required, and click Create. \r\n\t\t\t8. Click Save. \r\n\t", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints", "https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-vnet-service-endpoint", "https://docs.microsoft.com/en-us/cli/azure/cosmosdb?view=azure-cli-latest#az-cosmosdb-show", "https://docs.microsoft.com/en-us/cli/azure/cosmosdb/database?view=azure-cli-latest#az-cosmosdb-database-list", "https://docs.microsoft.com/en-us/powershell/module/az.cosmosdb/?view=azps-8.1.0", "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls" ], "compliance": [ { "name": "CIS Microsoft Azure Foundations", "version": "3.0.0", "reference": "5.4.1", "profile": "Level 2" } ], "level": "medium", "tags": [ ], "rule": { "path": "az_cosmosdb", "subPath": null, "selectCondition": { }, "query": [ ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "expandObject": null }, "table": "asList", "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ ], "expandObject": null, "limit": null }, "showGoToButton": null, "showModalButton": null, "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "", "defaultMessage": null }, "properties": { "resourceName": null, "resourceId": null, "resourceType": null }, "onlyStatus": false } }, "idSuffix": "cosmosdb_all_networks_enabled", "notes": [ ], "categories": [ ], "immutable_properties": [ ], "id": "azure_117" } |