lacework-global-628
Limit 'Firewalls & Networks' to Use Selected Networks Instead of All Networks (Automated)
This rule has been changed to automated, see Automated Policies for CIS Azure 1.5.0 for details.
Profile Applicability
• Level 2
Description
Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.
Rationale
Selecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database.
Impact
Failure to whitelist the correct networks will result in a connection loss.
Audit
From Azure Portal
- Open the portal menu.
- Select the Azure Cosmos DB blade
- Select the subscription you wish to audit.
- In the portal menu column select 'Firewalls and virtual networks'.
- Select the Database you wish to audit.
- Select 'Firewall and virtual networks'
- Confirm that the radio button for 'allow access from' is set to 'selected networks'
- In the listing below confirm that the listed selected networks are set to the appropriate networks.
From Azure CLI
az cosmosdb database list
az cosmosdb show <database id>
check for "isVirtualNetworkFilterEnabled" = True or False
From Azure Powershell
Remediation
From Azure Portal
- Open the portal menu.
- Select the Azure Cosmos DB blade.
- Select a Cosmos DB account to audit.
- Select Networking.
- Under Public network access, select Selected networks.
- Under Virtual networks, select + Add existing virtual network or + Add a new virtual network.
- For existing networks, select subscription, virtual network, subnet and click Add. For new networks, provide a name, update the default values if required, and click Create.
- Click Save.
References
https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints
https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-vnet-service-endpoint
https://docs.microsoft.com/en-us/cli/azure/cosmosdb?view=azure-cli-latest#az-cosmosdb-show
https://docs.microsoft.com/en-us/cli/azure/cosmosdb/database?view=azure-cli-latest#az-cosmosdb-database-list
https://docs.microsoft.com/en-us/powershell/module/az.cosmosdb/?view=azps-8.1.0
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls