Skip to main content

lacework-global-628

4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks (Automated)

note

This rule has been changed to automated, see Automated Rules for CIS Azure 1.5.0 for details.

Profile Applicability

• Level 2

Description

Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.

Rationale

Selecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database.

Impact

Failure to whitelist the correct networks will result in a connection loss.

Audit

From Azure Portal

  1. Open the portal menu.

  2. Select the Azure Cosmos DB blade

  3. Select the subscription you wish to audit.

  4. In the portal menu column select 'Firewalls and virtual networks'.

  5. Select the Database you wish to audit.

  6. Select 'Firewall and virtual networks'

  7. Confirm that the radio button for 'allow access from' is set to 'selected networks'

  8. In the listing below confirm that the listed selected networks are set to the appropriate networks.

From Azure CLI

az cosmosdb database list
az cosmosdb show <database id>

check for "isVirtualNetworkFilterEnabled" = True or False

From Azure Powershell

Remediation

From Azure Portal

  1. Open the portal menu.

  2. Select the Azure Cosmos DB blade

  3. Select the subscription you wish to audit.

  4. In the portal menu column select 'Firewalls and virtual networks'.

  5. Select the Database you wish to audit.

  6. Select 'Firewall and virtual networks'

  7. Change the radio button for 'allow access from' is to 'selected networks'

  8. Under the heading 'Virtual Networks' choose '+ Add existing virtual network' or '+ Add a new virtual network'.

  9. For existing networks, select the subscription, virtual network, and subnet, then select 'Add'. For new networks follow similar steps but enter the configuration you desire.

References

https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints
https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-vnet-service-endpoint
https://docs.microsoft.com/en-us/cli/azure/cosmosdb?view=azure-cli-latest#az-cosmosdb-show
https://docs.microsoft.com/en-us/cli/azure/cosmosdb/database?view=azure-cli-latest#az-cosmosdb-database-list
https://docs.microsoft.com/en-us/powershell/module/az.cosmosdb/?view=azps-8.1.0
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls