turbot/azure_compliance

Control: 5.4.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks

Description

Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.

Selecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database.

Remediation

From Azure Portal

  1. Open the portal menu.
  2. Select the Azure Cosmos DB blade.
  3. Select a Cosmos DB account to audit.
  4. Select Networking.
  5. Under Public network access, select Selected networks.
  6. Under Virtual networks, select + Add existing virtual network or + Add a new virtual network.
  7. For existing networks, select subscription, virtual network, subnet and click Add. For new networks, provide a name, update the default values if required, and click Create.
  8. Click Save.

Default Value

By default, Cosmos DBs are set to have access all networks.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v300_5_4_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v300_5_4_1 --share

SQL

This control uses a named query:

cosmosdb_account_virtual_network_filter_enabled

Tags