More Info:

Ensure that your Microsoft Azure Cosmos DB accounts are configured to deny access to traffic from all networks, including the public Internet. By restricting the public access to your Azure Cosmos accounts, you add an additional layer of security to the account resources, as the default action is to accept requests from any source. To limit access to trusted networks and/or IP addresses only, you must update the firewall and the virtual network configuration for your Cosmos DB accounts.

Risk Level

Medium

Address

Security

Compliance Standards

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Restrict Default Network Access for Azure Cosmos DB Accounts” in Azure using the Azure console, follow these steps:
  1. Log in to the Azure portal (https://portal.azure.com/).
  2. Navigate to the Azure Cosmos DB account for which you want to restrict network access.
  3. Click on the “Firewalls and virtual networks” tab.
  4. Under the “Firewall” section, select “Enabled”.
  5. Under the “Virtual networks” section, select the virtual network that you want to allow access to.
  6. Under the “Subnets” section, select the subnet that you want to allow access to.
  7. Click on “Save” to apply the changes.
By following these steps, you have successfully remediated the misconfiguration “Restrict Default Network Access for Azure Cosmos DB Accounts” in Azure using the Azure console.

To remediate the misconfiguration “Restrict Default Network Access for Azure Cosmos DB Accounts” in Azure using Azure CLI, follow the below steps:
  1. Open the Azure CLI on your local machine or use the Azure Cloud Shell.
  2. Login to your Azure account using the command az login.
  3. Once logged in, select the subscription you want to work with using the command az account set --subscription <subscription_id>.
  4. Get the list of Cosmos DB accounts in the selected subscription using the command az cosmosdb list.
  5. Choose the Cosmos DB account for which you want to restrict default network access.
  6. Run the following command to update the Cosmos DB account settings to restrict default network access:
az cosmosdb update \
    --name <cosmos_db_account_name> \
    --resource-group <resource_group_name> \
    --default-consistency-level <consistency_level> \
    --disable-key-based-metadata-write-access true \
    --enable-automatic-failover true \
    --enable-multiple-write-locations true \
    --locations regionName=<region_name> isZoneRedundant=False \
    --max-interval 10 \
    --max-staleness-prefix 200 \
    --max-staleness-seconds 300 \
    --network-acl-bypass AzureServices \
    --network-acl-bypass-resource-ids /subscriptions/<subscription_id>/resourceGroups/Microsoft.Network/providers/Microsoft.Network/virtualNetworks/default \
    --virtual-network-rule "" \
    --ip-range-filter "" \
    --public-network-access Disabled
Note: Replace the placeholders <cosmos_db_account_name>, <resource_group_name>, <consistency_level>, <region_name>, and <subscription_id> with the actual values.
  1. Once the command is executed successfully, the default network access for the Cosmos DB account will be restricted.
This will remediate the misconfiguration “Restrict Default Network Access for Azure Cosmos DB Accounts” in Azure using Azure CLI.
To restrict default network access for Azure Cosmos DB Accounts using Python, you can follow these steps:
  1. Import the necessary modules:
from azure.cosmos import CosmosClient
from azure.cosmos.errors import CosmosHttpResponseError
  1. Create a Cosmos DB client instance:
endpoint = "your_cosmos_db_account_endpoint"
key = "your_cosmos_db_account_key"
client = CosmosClient(endpoint, key)
  1. Get the Cosmos DB account properties:
try:
    properties = client.ReadAccount()
except CosmosHttpResponseError as e:
    print(e)
    sys.exit(1)
  1. Check if default network access is enabled:
if properties["enableMultipleWriteLocations"]:
    print("Default network access is enabled.")
else:
    print("Default network access is disabled.")
    sys.exit(0)
  1. Disable default network access:
properties["enableMultipleWriteLocations"] = False
try:
    client.UpdateAccount(properties)
    print("Default network access has been disabled.")
except CosmosHttpResponseError as e:
    print(e)
    sys.exit(1)
The complete code will look like this:
from azure.cosmos import CosmosClient
from azure.cosmos.errors import CosmosHttpResponseError

endpoint = "your_cosmos_db_account_endpoint"
key = "your_cosmos_db_account_key"
client = CosmosClient(endpoint, key)

try:
    properties = client.ReadAccount()
except CosmosHttpResponseError as e:
    print(e)
    sys.exit(1)

if properties["enableMultipleWriteLocations"]:
    print("Default network access is enabled.")
else:
    print("Default network access is disabled.")
    sys.exit(0)

properties["enableMultipleWriteLocations"] = False
try:
    client.UpdateAccount(properties)
    print("Default network access has been disabled.")
except CosmosHttpResponseError as e:
    print(e)
    sys.exit(1)
Note: Replace “your_cosmos_db_account_endpoint” and “your_cosmos_db_account_key” with the actual values of your Cosmos DB account.