Ensure public network access disabled for Azure CosmosDB Account

MEDIUM

Description

Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice.

Remediation

In Azure Console -

Open the Azure Portal and go to Cosmos DB.
Select the Cosmos DB account you wish to edit.
Under Settings, choose Networking.
On the Public access tab, set Public network access to disabled.

In Terraform -

In the azurerm_cosmosdb_account resource, set public_network_access_enabled to false.

References:
https://learn.microsoft.com/en-us/azure/cosmos-db/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#public_network_access_enabled

Policy Details

Rule Reference ID: AC_AZURE_0316

CSP: Azure

Remediation Available: Yes

Domain: Infrastructure Security

Resource: azurerm_cosmosdb_account

Resource Category: Database

Resource Type: Cosmos DB Account

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0

Detections

Analytics