Ensure CORS is configured to allow only trusted clients for Azure Healthcare Service

MEDIUM

Description

Misconfigured CORS may lead to excessive access of resources to existing clients. It may even expose private endpoints/data to unauthorized/malicious clients.

Remediation

In Azure Console -

Open the Azure Portal and go to Health Data Services.
Select the Workspace that contains the service you wish to edit.
Under Services, choose the service you wish to edit.
Under Settings, select CORS.
Configure as needed.

In Terraform -

In the azurerm_healthcare_service resource, create a cors_configuration block.
Add/configure allowed_origins, allowed_headers, and allowed_methods as needed.

References:
https://learn.microsoft.com/en-us/azure/healthcare-apis/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/healthcare_service#cors_configuration

Policy Details

Rule Reference ID: AC_AZURE_0221

CSP: Azure

Remediation Available: Yes

Domain: Infrastructure Security

Resource: azurerm_healthcare_service

Resource Category: Analytics

Resource Type: HealthCare Service

Frameworks

NIST-800-53
NIST-CSF
GDPR
HIPAA
NIST-800-171

Detections