standard
turbot/azure_cis
Get Involved
Version
Pipeline: 5.4.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
Description
Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.
Selecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database.
Remediation
From Azure Portal
- Open the portal menu.
- Select the Azure Cosmos DB blade.
- Select a Cosmos DB account to audit.
- Select
Networking. - Under
Public network access, selectSelected networks. - Under
Virtual networks, select+ Add existing virtual networkor+ Add a new virtual network. - For existing networks, select subscription, virtual network, subnet and click
Add. For new networks, provide a name, update the default values if required, and clickCreate. - Click
Save.
Default Value
By default, Cosmos DBs are set to have access all networks.
Run the pipeline
To run this pipeline from your terminal:
flowpipe pipeline run azure_cis.pipeline.cis_v300_5_4_1Use this pipeline
To call this pipeline from your pipeline, use a step:
step "pipeline" "step_name" { pipeline = azure_cis.pipeline.cis_v300_5_4_1 }Params
| Name | Type | Required | Description | Default |
|---|---|---|---|---|
| database | connection.steampipe | Yes | Database connection string. | connection.steampipe.default |
| notifier | notifier | Yes | The name of the notifier to use for sending notification messages. | notifier.default |
| notification_level | string | Yes | The verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'. | info |
Outputs
This pipeline has no outputs.
Tags
folder = CIS v3.0.0/5 Database Services/5.4 Azure Cosmos DB