Azure audit cosmosdb restrict default network access remediation

Using Console

Using CLI

To remediate the misconfiguration “Restrict Default Network Access for Azure Cosmos DB Accounts” in Azure using Azure CLI, follow the below steps:

Open the Azure CLI on your local machine or use the Azure Cloud Shell.
Login to your Azure account using the command az login.
Once logged in, select the subscription you want to work with using the command az account set --subscription <subscription_id>.
Get the list of Cosmos DB accounts in the selected subscription using the command az cosmosdb list.
Choose the Cosmos DB account for which you want to restrict default network access.
Run the following command to update the Cosmos DB account settings to restrict default network access:

az cosmosdb update \
    --name <cosmos_db_account_name> \
    --resource-group <resource_group_name> \
    --default-consistency-level <consistency_level> \
    --disable-key-based-metadata-write-access true \
    --enable-automatic-failover true \
    --enable-multiple-write-locations true \
    --locations regionName=<region_name> isZoneRedundant=False \
    --max-interval 10 \
    --max-staleness-prefix 200 \
    --max-staleness-seconds 300 \
    --network-acl-bypass AzureServices \
    --network-acl-bypass-resource-ids /subscriptions/<subscription_id>/resourceGroups/Microsoft.Network/providers/Microsoft.Network/virtualNetworks/default \
    --virtual-network-rule "" \
    --ip-range-filter "" \
    --public-network-access Disabled

Note: Replace the placeholders <cosmos_db_account_name>, <resource_group_name>, <consistency_level>, <region_name>, and <subscription_id> with the actual values.

Once the command is executed successfully, the default network access for the Cosmos DB account will be restricted.

This will remediate the misconfiguration “Restrict Default Network Access for Azure Cosmos DB Accounts” in Azure using Azure CLI.

Using Python

To restrict default network access for Azure Cosmos DB Accounts using Python, you can follow these steps:

Import the necessary modules:

from azure.cosmos import CosmosClient
from azure.cosmos.errors import CosmosHttpResponseError

Create a Cosmos DB client instance:

endpoint = "your_cosmos_db_account_endpoint"
key = "your_cosmos_db_account_key"
client = CosmosClient(endpoint, key)

Get the Cosmos DB account properties:

try:
    properties = client.ReadAccount()
except CosmosHttpResponseError as e:
    print(e)
    sys.exit(1)

Check if default network access is enabled:

if properties["enableMultipleWriteLocations"]:
    print("Default network access is enabled.")
else:
    print("Default network access is disabled.")
    sys.exit(0)

Disable default network access:

properties["enableMultipleWriteLocations"] = False
try:
    client.UpdateAccount(properties)
    print("Default network access has been disabled.")
except CosmosHttpResponseError as e:
    print(e)
    sys.exit(1)

The complete code will look like this:

from azure.cosmos import CosmosClient
from azure.cosmos.errors import CosmosHttpResponseError

endpoint = "your_cosmos_db_account_endpoint"
key = "your_cosmos_db_account_key"
client = CosmosClient(endpoint, key)

try:
    properties = client.ReadAccount()
except CosmosHttpResponseError as e:
    print(e)
    sys.exit(1)

if properties["enableMultipleWriteLocations"]:
    print("Default network access is enabled.")
else:
    print("Default network access is disabled.")
    sys.exit(0)

properties["enableMultipleWriteLocations"] = False
try:
    client.UpdateAccount(properties)
    print("Default network access has been disabled.")
except CosmosHttpResponseError as e:
    print(e)
    sys.exit(1)

Note: Replace “your_cosmos_db_account_endpoint” and “your_cosmos_db_account_key” with the actual values of your Cosmos DB account.

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Azure audit cosmosdb restrict default network access remediation

Triage and Remediation

Remediation