module/ConfigurationProvider/ControlConfigurations/Services/CosmosDB.json
|
{
"FeatureName": "CosmosDB", "Reference": "aka.ms/azsktcp/cosmosdb", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_CosmosDB_AuthZ_Enable_Firewall", "Description": "Cosmos DB firewall should be enabled", "Id": "CosmosDb110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCosmosDbFirewallState", "Rationale": "Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. While this may not be feasible in all scenarios, when it can be used, it provides an extra layer of access control protection for critical assets.", "Recommendation": "Azure Portal --> Resource --> Firewall. Turn 'ON' - 'Selected Networks' and provide required IP addresses and/or ranges in the IP tab and save. Note: In case the IP range is indeterminate (for instance, if the client is a PaaS endpoint), you may need to attest this control.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "CosmosDB", "Firewall", "NetSec", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "Cosmos DB firewall should be enabled", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlEvaluationDetails": { "RequiredProperties": [] }, "CustomTags": [] }, { "ControlID": "Azure_CosmosDB_AuthZ_Verify_IP_Range", "Description": "Configure only the required IP addresses on Cosmos DB firewall", "Id": "CosmosDb120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCosmosDbFirewallIpRange", "Rationale": "Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. For effective usage, allow only the required IPs. Allowing larger ranges like 0.0.0.0/0, 0.0.0.0/1, 128.0.0.0/1, etc. will defeat the purpose.", "Recommendation": "Do not use high ranges like 0.0.0.0/0, 0.0.0.0/1, 128.0.0.0/1, etc. Maximum IPs in a range should be less than 256 and total IPs including all ranges should be less than 2048. To modify - Azure Portal --> Resource --> Firewall and Virtual networks. Turn 'ON' - 'Enable IP Access Control' and add/or remove IP addresses and/or ranges and save. Note: In case the IP range is indeterminate (for instance, if the client is a PaaS endpoint), you may need to attest this control.", "Tags": [ "SDL", "Best Practice", "Automated", "StateManagement", "AuthZ", "CosmosDB", "Firewall", "NetSec", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "Configure only the required IP addresses on Cosmos DB firewall", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlEvaluationDetails": { "RequiredProperties": [] }, "ControlSettings": { "IpLimitPerDb": 2048, "IpLimitPerRange": 256 }, "CustomTags": [] }, { "ControlID": "Azure_CosmosDB_Config_Default_Consistency", "Description": "Do not use 'Eventual' consistency", "Id": "CosmosDb130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCosmosDbConsistency", "Rationale": "Using Eventual consistency might cause undesired effects due to its ordering guarantees. This consistency is the weakest of all and the values returned in reads are always not guaranteed to be latest write.", "Recommendation": "Using Eventual consistency might cause undesired effects due to its ordering guarantees. To modify - Azure Portal --> Resource --> Default consistency. Select 'Session' and save. Refer: https://docs.microsoft.com/en-in/azure/cosmos-db/consistency-levels", "Tags": [ "SDL", "Best Practice", "Automated", "Config", "CosmosDB", "Baseline" ], "Enabled": false, "PolicyDefinitionGuid": "CosmosDb130", "ControlSettings": { "RestrictedConsistencyLevel": "Eventual" }, "CustomTags": [] }, { "ControlID": "Azure_CosmosDB_Deploy_Use_Replication", "Description": "Use global replication", "Id": "CosmosDb140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckCosmosDbReplication", "Rationale": "Replication ensures continuity and rapid recovery during disasters.", "Recommendation": "Replication ensures the continuity and rapid recovery during disasters. To add - Azure Portal --> Resource -> Replicate data globally. Select a secondary read region and save. Refer: https://docs.microsoft.com/en-in/azure/cosmos-db/distribute-data-globally", "Tags": [ "SDL", "Best Practice", "Automated", "Deploy", "CosmosDB", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "Use global replication", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlEvaluationDetails": { "RequiredProperties": [] }, "CustomTags": [] }, { "ControlID": "Azure_CosmosDB_Deploy_Use_Automatic_Failover", "Description": "Use automatic failover", "Id": "CosmosDb150", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckCosmosDbAutomaticFailover", "Rationale": "Automatic failover ensures continuity and auto recovery during disasters.", "Recommendation": "Automatic failover ensures the continuity and auto recovery during disasters. To configure, you must have at least 1 secondary replica enabled. To enabled replica - Azure Portal --> Resource -> Replicate data globally. Select a secondary read region and save. To set automatic failover - Azure Portal --> Resource -> Replicate data globally --> Automatic Failover. Turn 'ON' - 'Enable Automatic Failover', set the priorities and click 'OK'.", "Tags": [ "SDL", "Best Practice", "Automated", "Deploy", "CosmosDB", "Baseline", "Weekly" ], "Enabled": true, "DisplayName": "Use automatic failover", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlEvaluationDetails": { "RequiredProperties": [] }, "CustomTags": [] }, { "ControlID": "Azure_CosmosDB_Enable_Adv_Threat_Protection", "Description": "Threat Protection for Azure Cosmos DB provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit Azure Cosmos DB accounts.", "Id": "CosmosDb350", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCosmosDbAdvThreatProtection", "Rationale": "Threat Protection for Azure Cosmos DB provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit Azure Cosmos DB accounts.", "Recommendation": "From Azure Portal: Refer https://docs.microsoft.com/en-us/azure/cosmos-db/cosmos-db-advanced-threat-protection.", "DisplayName": "Enable Threat detection for CosmosDB database", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Tags": [ "SDL", "Best Practice", "Development", "DP", "CosmosDB", "Baseline", "Weekly" ], "Enabled": true, "ControlSettings": { "ApplicableApiTypes": [ "Sql" ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "AdvThreatProtection" ] }, "CustomTags": [ "P2", "Wave99", "SN:CosmosDB_TDE" ] }, { "ControlID": "Azure_CosmosDB_NetSec_Enable_Firewall_Rules_MCSB", "Description": "[MCSB] Azure Cosmos DB accounts should have firewall rules", "Id": "CosmosDb360", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Azure Cosmos DB accounts should have firewall rules", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlScanSource": "MDC", "Rationale": "Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall#configure-ip-policy", "AssessmentProperties": { "AssessmentNames": [ "276b1952-c364-852b-11e5-657f0fa34dc6" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "SDL", "TCP", "Automated", "NetSec", "Baseline", "CosmosDB" ], "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_CosmosDB_DP_Enable_Encryption_With_Customer_Managed_Keys_MCSB", "Description": "[MCSB] Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", "Id": "CosmosDb370", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Data Encryption ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements. And by using a customer-managed key, you can supplement default encryption with an additional encryption layer.", "Recommendation": "To use customer managed keys in Azure Cosmos DB, please refer : https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-customer-managed-keys?tabs=azure-portal", "Tags": [ "CosmosDB", "Automated", "Baseline", "DP" ], "AssessmentProperties": { "AssessmentNames": [ "814df446-7128-eff0-9177-fa52ac035b74" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_CosmosDB_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for the Cosmos DB", "Id": "CosmosDb390", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCosmosDBTLSVersion", "DisplayName": "Use approved version of TLS for the Cosmos DB", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides confidentiality and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "To set required TLS version: Go to Azure Portal --> your CosmosDB --> Settings --> Networking --> Connectivity --> Minimum Transport layer security protocol dropdown. Select the required TLS version from the dropdown.", "Tags": [ "Automated", "DP", "CosmosDB", "Baseline" ], "ControlEvaluationDetails": { "RequiredProperties": [ "MinTLSVersion" ] }, "Enabled": true, "ControlScanSource": "Reader", "ControlSettings": { "MinReqTLSVersion": "1.2" }, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv10", "TRWave4", "TRPreview", "TRBaseline", "CAIPreview", "EDPreview", "SMTPreview", "SN:CosmosDB_TLS", "CAIWave1" ] }, { "ControlID": "Azure_CosmosDB_SI_Rotate_Access_Keys", "Description": "Azure Cosmos Account access keys should be rotated on periodic basis", "Id": "CosmosDb380", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "checkKeyRotationPeriod", "ControlScanSource": "Reader", "DisplayName": "Azure Cosmos Account access keys should be rotated on periodic basis", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access keys must be rotated periodically to mitigate the risks arising due to key compromise to ensure the continued protection of sensitive data", "Rationale": "Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.", "Recommendation": "To Rotate 'Keys' for Azure CosmosDB, Go to Azure Portal -> Your Cosmos Account -> settings -> keys/connection strings -> choose the key you want to rotate and press refresh.", "Tags": [ "CosmosDB", "Automated", "Baseline", "DP" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DisableLocalAuth" ] }, "ControlSettings": { "RecommendedKeyRotationPeriodInDays": "90" }, "Enabled": true, "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_CosmosDB_DP_Rotate_Read_Master_Key", "Description": "Azure Cosmos DB account read master keys must be rotated on a periodic basis", "Id": "CosmosDb410", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCosmosDBReadMasterKeyRotation", "ControlScanSource": "Reader", "DisplayName": "Azure Cosmos DB account read master keys must be rotated on a periodic basis", "Category": "Security Hygiene best practices", "ControlRequirements": "Access keys must be rotated periodically to mitigate the risks arising due to key compromise to ensure the continued protection of sensitive data", "Rationale": "Rotating read master keys will reduce risk of unauthorized access and limit the window of opportunity for keys that are associated with a compromised or terminated account.", "Recommendation": "To Rotate 'Read Master Keys' for Azure CosmosDB, Go to Azure Portal -> Your Cosmos Account -> Settings -> Keys -> Read-only Keys -> Choose the read key you want to rotate and click regenerate.", "Tags": [ "CosmosDB", "Baseline", "DP", "Best Practice" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DisableLocalAuth" ] }, "ControlSettings": { "RecommendedKeyRotationPeriodInDays": "365" }, "Enabled": true, "CustomTags": [ "Daily", "SN:CosmosDB_RotateKeys", "TenantBaseline", "TBv13" ] }, { "ControlID": "Azure_CosmosDB_Audit_Enable_Diagnostic_Settings", "Description": "Diagnostics logs must be enabled on Azure Cosmos DB", "Id": "CosmosDb400", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "DisplayName": "Diagnostics logs must be enabled on Azure Cosmos DB", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Auditing logs and metrics must be enabled as they provide details for investigation in case of a security breach for threats", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://learn.microsoft.com/en-us/azure/cosmos-db/monitor-resource-logs?tabs=azure-portal#create-diagnostic-settings and while updating the diagnostic settings ['DataPlaneRequests', 'ControlPlaneRequests'] category of logs and minimum required retention period is of 90 days", "Tags": [ "CosmosDB", "Automated", "Baseline", "Audit", "Diagnostics" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "Enabled": true, "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "90", "DiagnosticLogs": [ "DataPlaneRequests", "ControlPlaneRequests" ] }, "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_CosmosDB_AuthZ_Disable_KeyBased_Metadata_Write_Access", "Description": "Key based metadata write access must be disabled on Azure Cosmos DB", "Id": "CosmosDb500", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckKeyBasedMetadataWriteAccess", "DisplayName": "Key based metadata write access must be disabled on Azure Cosmos DB", "Category": "AAD Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Write-Keys primary/secondary once leaked can be used by attackers to gain complete control over azure cosmos DB account management.", "Recommendation": "To disable key based metadata write access please follow the steps mentioned here: https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control#set-via-powershell. Azure CLI, powershell or azure portal can be used to perform management operations after disabling key based metadata write access on cosmos DB account.", "Tags": [ "CosmosDB", "Automated", "Baseline" ], "Enabled": true, "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_CosmosDB_NetSec_Restrict_Public_Network_Access", "Description": "Restrict public network access for Azure Cosmos DB", "Id": "CosmosDb510", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "RestrictCosmosPublicNetworkAccess", "DisplayName": "Restrict public network access for Azure Cosmos DB", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Access to Azure Cosmos DB Resource from public network must be restricted. This will prevent unauthorized access on the resource outside of network boundaries.", "Recommendation": "It is recommended that IP firewall (https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall) or Private endpoints (https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints?tabs=arm-bicep) or Virtual Networks (https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-vnet-service-endpoint) be used instead of complete public accessibility enabled.", "Tags": [ "CosmosDB", "NetSec", "Baseline" ], "ControlEvaluationDetails": { "RequiredProperties": [ "PublicNetworkAccessSetting", "isVirtualNetworkFilterEnabledField" ] }, "Enabled": true, "ControlSettings": { "PossibleAddressSpaceSize": "3702258432", "AllowedPercentageCoverage": "2", "ItemsInAdditionalInformation": "10" }, "CustomTags": [ "Daily", "SN:CosmosDB_RestrictPublicAccess", "TenantBaseline", "TBv13" ] } ] } |