lacework-global-628
4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks (Automated)
note
This rule has been changed to automated, see Automated Rules for CIS Azure 1.5.0 for details.
Profile Applicability
• Level 2
Description
Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.
Rationale
Selecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database.
Impact
Failure to whitelist the correct networks will result in a connection loss.
Audit
From Azure Portal
Open the portal menu.
Select the Azure Cosmos DB blade
Select the subscription you wish to audit.
In the portal menu column select 'Firewalls and virtual networks'.
Select the Database you wish to audit.
Select 'Firewall and virtual networks'
Confirm that the radio button for 'allow access from' is set to 'selected networks'
In the listing below confirm that the listed selected networks are set to the appropriate networks.
From Azure CLI
az cosmosdb database list
az cosmosdb show <database id>
check for "isVirtualNetworkFilterEnabled" = True or False
From Azure Powershell
Remediation
From Azure Portal
Open the portal menu.
Select the Azure Cosmos DB blade
Select the subscription you wish to audit.
In the portal menu column select 'Firewalls and virtual networks'.
Select the Database you wish to audit.
Select 'Firewall and virtual networks'
Change the radio button for 'allow access from' is to 'selected networks'
Under the heading 'Virtual Networks' choose '+ Add existing virtual network' or '+ Add a new virtual network'.
For existing networks, select the subscription, virtual network, and subnet, then select 'Add'. For new networks follow similar steps but enter the configuration you desire.
References
https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints
https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-vnet-service-endpoint
https://docs.microsoft.com/en-us/cli/azure/cosmosdb?view=azure-cli-latest#az-cosmosdb-show
https://docs.microsoft.com/en-us/cli/azure/cosmosdb/database?view=azure-cli-latest#az-cosmosdb-database-list
https://docs.microsoft.com/en-us/powershell/module/az.cosmosdb/?view=azps-8.1.0
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls