turbot/steampipe-mod-azure-perimeter

Control: Cosmos DB account CORS policies should prohibit public access

Description

Azure Cosmos DB account Cross-Origin Resource Sharing (CORS) policies should not allow unrestricted access from any origin that could enable public access.

Usage

Run the control in your terminal:

powerpipe control run azure_perimeter.control.cosmosdb_account_cors_prohibit_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_perimeter.control.cosmosdb_account_cors_prohibit_public_access --share

Steampipe Tables

SQL

with cors_configured_accounts as (
select
id,
name,
_ctx,
region,
resource_group,
subscription_id,
tags,
cors
from
azure_cosmosdb_account
where
cors is not null
and jsonb_array_length(cors) > 0
)
select
c.id as resource,
case
when cors is null then 'ok'
when jsonb_array_length(cors) = 0 then 'ok'
when cors @> '[{"allowedOrigins": "*"}]' then 'alarm'
when cors::text like '%"allowedOrigins":"*"%' then 'alarm'
else 'ok'
end as status,
case
when cors is null then c.name || ' has no CORS rules configured.'
when jsonb_array_length(cors) = 0 then c.name || ' has no CORS rules configured.'
when cors @> '[{"allowedOrigins": "*"}]' then c.name || ' has CORS rules allowing access from any origin (*).'
when cors::text like '%"allowedOrigins":"*"%' then c.name || ' has CORS rules that may allow public access.'
else c.name || ' CORS rules do not allow unrestricted public access.'
end as reason
, c.resource_group as resource_group
, sub.display_name as subscription
from
cors_configured_accounts c,
azure_subscription sub
where
sub.subscription_id = c.subscription_id;

Tags