Skip to main content

lacework-global-629

4.5.2 Use Private Endpoints Where Possible (Automated)

note

This rule has been changed to automated, see Automated Policies for CIS Azure 1.5.0 for details.

Profile Applicability

• Level 2

Description

Private endpoints limit network traffic to approved sources.

Rationale

For sensitive data, private endpoints allow granular control of which services can communicate with Cosmos DB and ensure that this network traffic is private. You set this up on a case by case basis for each service you wish to be connected.

Impact

Only whitelisted services will have access to communicate with the Cosmos DB.

Audit

From Azure Portal

  1. Open the portal menu.
  2. Select the Azure Cosmos DB blade
  3. Select the subscription you wish to audit.
  4. In the portal menu column select 'Private Endpoint Connections'.
  5. Select the Database you wish to audit.
  6. In this list view the private endpoints. In the column under 'Connection State' and the Private Endpoint is set to 'Enabled' it is active.
  7. Confirm that the radio button for 'allow access from' is set to 'selected networks'
  8. In the listing below confirm that the listed selected networks are set to the appropriate endpoints.

Remediation

From Azure Portal

  1. Open the portal menu.
  2. Select the Azure Cosmos DB blade.
  3. Select the Azure Cosmos DB account.
  4. Select Networking.
  5. Select Private access.
  6. Click + Private Endpoint.
  7. Provide a Name.
  8. Click Next.
  9. From the Resource type drop down, select Microsoft.AzureCosmosDB/databaseAccounts.
  10. From the Resource drop down, select the Cosmos DB account.
  11. Click Next.
  12. Provide appropriate Virtual Network details.
  13. Click Next.
  14. Provide appropriate Domain Name System (DNS) details.
  15. Click Next.
  16. Optionally provide Tags.
  17. Click Next : Review + create.
  18. Click Create.

References

https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints
https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-cosmosdb-portal
https://docs.microsoft.com/en-us/cli/azure/cosmosdb/private-endpoint-connection?view=azure-cli-latest
https://docs.microsoft.com/en-us/cli/azure/network/private-endpoint?view=azure-cli-latest#az-network-private-endpoint-create
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls

Last updated on