Azure Cosmos DB Default Network Access Unrestricted
ID: azure-cosmosdb-default-network-access-unrestricted
Severity: medium
Author: princechaddha
Tags: cloud,devops,azure,microsoft,cosmosdb,azure-cloud-config
Description
Section titled “Description”Ensure that your Azure Cosmos DB accounts are configured to deny access to traffic from all networks, including the public Internet. By restricting the public access to your Azure Cosmos DB accounts, you add an additional layer of security to the account resources, as the default action is to accept requests from any source. To limit access to trusted networks and/or IP addresses only, you must update the firewall and the virtual network configuration for your Cosmos DB accounts.
YAML Source
Section titled “YAML Source”id: azure-cosmosdb-default-network-access-unrestrictedinfo: name: Azure Cosmos DB Default Network Access Unrestricted author: princechaddha severity: medium description: | Ensure that your Azure Cosmos DB accounts are configured to deny access to traffic from all networks, including the public Internet. By restricting the public access to your Azure Cosmos DB accounts, you add an additional layer of security to the account resources, as the default action is to accept requests from any source. To limit access to trusted networks and/or IP addresses only, you must update the firewall and the virtual network configuration for your Cosmos DB accounts. impact: | Not restricting default network access can expose Azure Cosmos DB accounts to potential unauthorized access and security vulnerabilities from the public Internet. remediation: | Update the firewall settings and enable Virtual Network filtering on your Azure Cosmos DB accounts to restrict access to trusted networks and IP addresses only. reference: - https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall-vnet tags: cloud,devops,azure,microsoft,cosmosdb,azure-cloud-config
flow: | code(1); for (let CosmosDBData of iterate(template.cosmosDBAccounts)) { set("id", CosmosDBData); code(2); }
self-contained: truecode: - engine: - sh - bash source: | az cosmosdb list --query '[*].id' --output json
extractors: - type: json name: cosmosDBAccounts internal: true json: - '.[]'
- engine: - sh - bash source: | az cosmosdb show --ids $id --query '{"ipRules":ipRules,"isVirtualNetworkFilterEnabled":isVirtualNetworkFilterEnabled}' --output json
matchers-condition: and matchers: - type: word words: - '"isVirtualNetworkFilterEnabled": false'
- type: word words: - '"ipRules": []' - '"ipRules": null'
extractors: - type: dsl dsl: - 'id + " is unrestricted with default network access"'# digest: 4a0a00473045022100cb26538e8bb7b97b94d92971d4e07f524f8f431339a982d078f398a65314724902201a2efdf52b03527c0d8f1a9c4816e041ec52fb0b74bf63e8481dfc0a679f9d4c:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/cosmosdb/azure-cosmosdb-default-network-access-unrestricted.yaml"