Microsoft AzureOverview
Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.
Rationale
Selecting certain networks for your Cosmos DB to communicate restricts the number of networks, including the internet, that can interact with what is stored within the database.
Impact
WARNING: Failure to whitelist the correct networks will result in a connection loss.
WARNING: Changes to Cosmos DB firewalls may take up to 15 minutes to apply. To avoid disruption, ensure that sufficient time is planned for remediation or changes.
Default Value
By default, Cosmos DBs allow access from all networks.
Remediation guidance
Remediate from Azure Portal
- Open the Cosmos DB account using the
Open in Azurebutton - Select
Networking. - Under
Public network access, selectSelected networks. - Under
Virtual networks, select+ Add existing virtual networkor+ Add a new virtual network. - For existing networks, select subscription, virtual network, subnet and click
Add. For new networks, provide a name, update the default values if required, and clickCreate. - Click
Save.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Azure
Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Azure Cosmos DB Accounts Allowing All Networks
Connectors
Covered asset types
Expected check: eq []
{
cosmosDbAccounts(where: { isVirtualNetworkFilterEnabled: false }) {
...AssetFragment
}
}
