Skip to main content

lacework-global-628

4.5.1 Limit 'Firewalls & Networks' to Use Selected Networks Instead of All Networks (Automated)

note

This rule has been changed to automated, see Automated Policies for CIS Azure 1.5.0 for details.

Profile Applicability

• Level 2

Description

Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.

Rationale

Selecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database.

Impact

Failure to whitelist the correct networks will result in a connection loss.

Audit

From Azure Portal

  1. Open the portal menu.
  2. Select the Azure Cosmos DB blade
  3. Select the subscription you wish to audit.
  4. In the portal menu column select 'Firewalls and virtual networks'.
  5. Select the Database you wish to audit.
  6. Select 'Firewall and virtual networks'
  7. Confirm that the radio button for 'allow access from' is set to 'selected networks'
  8. In the listing below confirm that the listed selected networks are set to the appropriate networks.

From Azure CLI

az cosmosdb database list
az cosmosdb show <database id>

check for "isVirtualNetworkFilterEnabled" = True or False

From Azure Powershell

Remediation

From Azure Portal

  1. Open the portal menu.
  2. Select the Azure Cosmos DB blade.
  3. Select a Cosmos DB account to audit.
  4. Select Networking.
  5. Under Public network access, select Selected networks.
  6. Under Virtual networks, select + Add existing virtual network or + Add a new virtual network.
  7. For existing networks, select subscription, virtual network, subnet and click Add. For new networks, provide a name, update the default values if required, and click Create.
  8. Click Save.

References

https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints
https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-vnet-service-endpoint
https://docs.microsoft.com/en-us/cli/azure/cosmosdb?view=azure-cli-latest#az-cosmosdb-show
https://docs.microsoft.com/en-us/cli/azure/cosmosdb/database?view=azure-cli-latest#az-cosmosdb-database-list
https://docs.microsoft.com/en-us/powershell/module/az.cosmosdb/?view=azps-8.1.0
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls

Last updated on