Control: 5.4.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
Description
Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.
Selecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database.
Remediation
From Azure Portal
- Open the portal menu.
- Select the Azure Cosmos DB blade.
- Select a Cosmos DB account to audit.
- Select
Networking
. - Under
Public network access
, selectSelected networks
. - Under
Virtual networks
, select+ Add existing virtual network
or+ Add a new virtual network
. - For existing networks, select subscription, virtual network, subnet and click
Add
. For new networks, provide a name, update the default values if required, and clickCreate
. - Click
Save
.
Default Value
By default, Cosmos DBs are set to have access all networks.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v300_5_4_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v300_5_4_1 --share
SQL
This control uses a named query:
cosmosdb_account_virtual_network_filter_enabled