Ensure consistency level is NOT set to 'Eventual' for Azure CosmosDB Account

LOW

Description

Azure CosmosDB Account instances with consistency level 'Eventual' may juggle the order of data and mutate it in unexpected ways.

Remediation

In Azure Console -

Open the Azure Portal and go to Cosmos DB.
Select the Cosmos DB account you wish to edit.
Under Settings, choose Default consistency.
Choose the appropriate consistency from the following: [Session | Strong | ConsistentPrefix | BoundedStaleness].

In Terraform -

In the azurerm_cosmosdb_account resource, create a consistency_policy block.
Set consistency_level to the appropriate consistency from the following: [Session | Strong | ConsistentPrefix | BoundedStaleness].

References:
https://learn.microsoft.com/en-us/azure/cosmos-db/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#consistency_policy

Policy Details

Rule Reference ID: AC_AZURE_0183

CSP: Azure

Remediation Available: Yes

Domain: Security Best Practices

Resource: azurerm_cosmosdb_account

Resource Category: Database

Resource Type: Cosmos DB Account

Frameworks

GDPR
NIST-800-171
NIST-800-53
NIST-CSF
HIPAA