Ensure that your Azure Cosmos DB accounts are configured to deny access to traffic from all networks, including the public Internet. By restricting the public access to your Azure Cosmos DB accounts, you add an additional layer of security to the account resources, as the default action is to accept requests from any source. To limit access to trusted networks and/or IP addresses only, you must update the firewall and the virtual network configuration for your Cosmos DB accounts.
PoC代码[已公开]
id: azure-cosmosdb-default-network-access-unrestricted
info:
name: Azure Cosmos DB Default Network Access Unrestricted
author: princechaddha
severity: medium
description: |
Ensure that your Azure Cosmos DB accounts are configured to deny access to traffic from all networks, including the public Internet. By restricting the public access to your Azure Cosmos DB accounts, you add an additional layer of security to the account resources, as the default action is to accept requests from any source. To limit access to trusted networks and/or IP addresses only, you must update the firewall and the virtual network configuration for your Cosmos DB accounts.
impact: |
Not restricting default network access can expose Azure Cosmos DB accounts to potential unauthorized access and security vulnerabilities from the public Internet.
remediation: |
Update the firewall settings and enable Virtual Network filtering on your Azure Cosmos DB accounts to restrict access to trusted networks and IP addresses only.
reference:
- https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall-vnet
tags: cloud,devops,azure,microsoft,cosmosdb,azure-cloud-config
flow: |
code(1);
for (let CosmosDBData of iterate(template.cosmosDBAccounts)) {
set("id", CosmosDBData);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az cosmosdb list --query '[*].id' --output json
extractors:
- type: json
name: cosmosDBAccounts
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az cosmosdb show --ids $id --query "{publicNetworkAccess: publicNetworkAccess, virtualNetworkRules: virtualNetworkRules}" --output json
matchers:
- type: word
words:
- '"publicNetworkAccess": "Enabled"'
extractors:
- type: dsl
dsl:
- 'id + " is unrestricted with default network access"'
# digest: 490a0046304402201b52806f47e1c0a2e8267269a5aef2f8cd84daf085c320160c0a22c9a32f16b902204f6da44a563362ae4fc20de0be0cbbe1e4412896d6149e06a8aa4a3928ad124c:922c64590222798bb761d5b6d8e72950