Control: Cosmos DB account CORS policies should prohibit public access
Description
Azure Cosmos DB account Cross-Origin Resource Sharing (CORS) policies should not allow unrestricted access from any origin that could enable public access.
Usage
Run the control in your terminal:
powerpipe control run azure_perimeter.control.cosmosdb_account_cors_prohibit_public_accessSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_perimeter.control.cosmosdb_account_cors_prohibit_public_access --shareSteampipe Tables
SQL
with cors_configured_accounts as ( select id, name, _ctx, region, resource_group, subscription_id, tags, cors from azure_cosmosdb_account where cors is not null and jsonb_array_length(cors) > 0)select c.id as resource, case when cors is null then 'ok' when jsonb_array_length(cors) = 0 then 'ok' when cors @> '[{"allowedOrigins": "*"}]' then 'alarm' when cors::text like '%"allowedOrigins":"*"%' then 'alarm' else 'ok' end as status, case when cors is null then c.name || ' has no CORS rules configured.' when jsonb_array_length(cors) = 0 then c.name || ' has no CORS rules configured.' when cors @> '[{"allowedOrigins": "*"}]' then c.name || ' has CORS rules allowing access from any origin (*).' when cors::text like '%"allowedOrigins":"*"%' then c.name || ' has CORS rules that may allow public access.' else c.name || ' CORS rules do not allow unrestricted public access.' end as reason , c.resource_group as resource_group , sub.display_name as subscriptionfrom cors_configured_accounts c, azure_subscription subwhere sub.subscription_id = c.subscription_id;