chore(azure): enhance metadata for cosmosdb service (#9616)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
2026-01-25 02:08:11 +00:00 · 2026-01-22 19:53:15 +01:00
parent 77dc79df32
commit b6a34d2220
4 changed files with 60 additions and 38 deletions
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -14,6 +14,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update Azure App Service service metadata to new format [(#9613)](https://github.com/prowler-cloud/prowler/pull/9613)
 - Update Azure Application Insights service metadata to new format [(#9614)](https://github.com/prowler-cloud/prowler/pull/9614)
 - Update Azure Container Registry service metadata to new format [(#9615)](https://github.com/prowler-cloud/prowler/pull/9615)
 - Update Azure Cosmos DB service metadata to new format [(#9616)](https://github.com/prowler-cloud/prowler/pull/9616)
 ---
--- a/prowler/providers/azure/services/cosmosdb/cosmosdb_account_firewall_use_selected_networks/cosmosdb_account_firewall_use_selected_networks.metadata.json
+++ b/prowler/providers/azure/services/cosmosdb/cosmosdb_account_firewall_use_selected_networks/cosmosdb_account_firewall_use_selected_networks.metadata.json
@@ -1,30 +1,38 @@
 {
  "Provider": "azure",
  "CheckID": "cosmosdb_account_firewall_use_selected_networks",
-  "CheckTitle": "Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks",
+  "CheckTitle": "Cosmos DB account firewall allows access only from selected networks",
  "CheckType": [],
  "ServiceName": "cosmosdb",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "medium",
-  "ResourceType": "CosmosDB",
+  "ResourceType": "microsoft.documentdb/databaseaccounts",
  "ResourceGroup": "database",
-  "Description": "Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.",
+  "Description": "**Azure Cosmos DB accounts** limit connectivity to **selected networks** using virtual network rules and/or IP allowlists rather than permitting access from all networks.\n\nThe evaluation determines whether the account's network firewall enforces this restriction.",
-  "Risk": "Selecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database.",
+  "Risk": "Access from all networks enlarges the attack surface. If keys or tokens are exposed or privileges are misconfigured, attackers anywhere can read or modify data, harming **confidentiality** and **integrity**.\n\nWeak segmentation also enables SSRF/pivot paths from Azure services and can impact **availability** through abuse.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints",
+  "RelatedUrl": "",
  "AdditionalURLs": [
    "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-vnet-service-endpoint",
    "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall",
    "https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal"
  ],
  "Remediation": {
    "Code": {
-      "CLI": "az cosmosdb database list / az cosmosdb show <database id> **isVirtualNetworkFilterEnabled should be set to true**",
+      "CLI": "az cosmosdb network-rule add -g <RESOURCE_GROUP> -n <ACCOUNT_NAME> --subnet <example_resource_id>",
-      "NativeIaC": "",
+      "NativeIaC": "```bicep\n// Enable selected networks only by turning on VNet filter and adding one allowed subnet\nresource cosmos 'Microsoft.DocumentDB/databaseAccounts@2025-10-15' = {\n  name: '<example_resource_name>'\n  location: '<LOCATION>'\n  properties: {\n    databaseAccountOfferType: 'Standard'\n    locations: [{ locationName: '<LOCATION>'; failoverPriority: 0 }]\n    isVirtualNetworkFilterEnabled: true // CRITICAL: Enables VNet firewall (selected networks only)\n    virtualNetworkRules: [\n      {\n        id: '<example_resource_id>' // CRITICAL: Subnet resource ID allowed to access the account\n      }\n    ]\n  }\n}\n```",
-      "Other": "",
+      "Other": "1. In Azure Portal, open your Cosmos DB account\n2. Go to Settings > Networking\n3. Select Selected networks\n4. Click Add existing virtual network, choose the VNet and Subnet, then click Enable and Add\n5. Click Save",
-      "Terraform": ""
+      "Terraform": "```hcl\n# Enable Cosmos DB VNet firewall and allow a specific subnet\nresource \"azurerm_cosmosdb_account\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  location            = azurerm_resource_group.<example_resource_name>.location\n  resource_group_name = azurerm_resource_group.<example_resource_name>.name\n  offer_type          = \"Standard\"\n  kind                = \"GlobalDocumentDB\"\n\n  consistency_policy { consistency_level = \"Session\" }\n  geo_location { location = azurerm_resource_group.<example_resource_name>.location failover_priority = 0 }\n\n  is_virtual_network_filter_enabled = true  # CRITICAL: Enforces selected networks only\n  virtual_network_rule {\n    id = \"<example_resource_id>\"           # CRITICAL: Subnet resource ID allowed to access the account\n  }\n}\n```"
    },
    "Recommendation": {
-      "Text": "1. Open the portal menu. 2. Select the Azure Cosmos DB blade. 3. Select a Cosmos DB account to audit. 4. Select Networking. 5. Under Public network access, select Selected networks. 6. Under Virtual networks, select + Add existing virtual network or + Add a new virtual network. 7. For existing networks, select subscription, virtual network, subnet and click Add. For new networks, provide a name, update the default values if required, and click Create. 8. Click Save.",
+      "Text": "Set network access to `Selected networks` with **least privilege**:\n- Prefer **private endpoints** or VNet service endpoints with subnet ACLs\n- Keep IP allowlists minimal; avoid `0.0.0.0`\n- *When feasible*, set `publicNetworkAccess=Disabled` with Private Link\n- Apply **defense in depth** and monitor access and firewall changes",
-      "Url": "https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal"
+      "Url": "https://hub.prowler.com/check/cosmosdb_account_firewall_use_selected_networks"
    }
  },
-  "Categories": [],
+  "Categories": [
    "internet-exposed",
    "trust-boundaries"
  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": "Failure to whitelist the correct networks will result in a connection loss."
--- a/prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_aad_and_rbac/cosmosdb_account_use_aad_and_rbac.metadata.json
+++ b/prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_aad_and_rbac/cosmosdb_account_use_aad_and_rbac.metadata.json
@@ -1,30 +1,36 @@
 {
  "Provider": "azure",
  "CheckID": "cosmosdb_account_use_aad_and_rbac",
-  "CheckTitle": "Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible.",
+  "CheckTitle": "Cosmos DB account has local authentication disabled and uses Azure AD authentication with Azure RBAC",
  "CheckType": [],
  "ServiceName": "cosmosdb",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "medium",
+  "Severity": "high",
-  "ResourceType": "CosmosDB",
+  "ResourceType": "microsoft.documentdb/databaseaccounts",
  "ResourceGroup": "database",
-  "Description": "Cosmos DB can use tokens or AAD for client authentication which in turn will use Azure RBAC for authorization. Using AAD is significantly more secure because AAD handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure.",
+  "Description": "**Azure Cosmos DB accounts** configured to use **Microsoft Entra ID** with **Azure RBAC** by disabling key-based credentials (`disableLocalAuth=true`). Clients authenticate with identities rather than account keys.",
-  "Risk": "AAD client authentication is considerably more secure than token-based authentication because the tokens must be persistent at the client. AAD does not require this.",
+  "Risk": "With local/key-based auth enabled, **long-lived account keys** can be leaked or shared, enabling unauthorized reads/writes and tampering. Access bypasses **MFA** and granular **RBAC**, hindering rotation/revocation and increasing persistence and lateral movement risks.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control",
+  "RelatedUrl": "",
  "AdditionalURLs": [
    "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-connect-role-based-access-control?pivots=azure-cli"
  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
+      "CLI": "az resource update --resource-group <RESOURCE_GROUP> --name <COSMOS_ACCOUNT_NAME> --resource-type Microsoft.DocumentDB/databaseAccounts --set properties.disableLocalAuth=true",
-      "NativeIaC": "",
+      "NativeIaC": "```bicep\n// Bicep: Disable local (key-based) auth on a Cosmos DB account\nresource account 'Microsoft.DocumentDB/databaseAccounts@2025-10-15' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  kind: 'GlobalDocumentDB'\n  properties: {\n    databaseAccountOfferType: 'Standard'\n    locations: [{ locationName: resourceGroup().location }]\n    disableLocalAuth: true // Critical: Disables key-based auth to enforce Entra ID + Azure RBAC\n  }\n}\n```",
-      "Other": "",
+      "Other": "1. Sign in to the Azure portal and open your Cosmos DB account\n2. In the left menu, select Keys\n3. Turn on Disable key-based authentication (Disable local authentication)\n4. Click Save",
-      "Terraform": ""
+      "Terraform": "```hcl\n# Terraform: Disable local (key-based) auth on a Cosmos DB account\nresource \"azurerm_cosmosdb_account\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  resource_group_name = \"<example_resource_name>\"\n  location            = \"<example_resource_name>\"\n  offer_type          = \"Standard\"\n  kind                = \"GlobalDocumentDB\"\n\n  geo_location {\n    location          = \"<example_resource_name>\"\n    failover_priority = 0\n  }\n\n  local_authentication_disabled = true # Critical: Disables key-based auth to enforce Entra ID + RBAC\n}\n```"
    },
    "Recommendation": {
-      "Text": "Map all the resources that currently access to the Azure Cosmos DB account with keys or access tokens. Create an Azure Active Directory (AAD) identity for each of these resources: For Azure resources, you can create a managed identity . You may choose between system-assigned and user-assigned managed identities. For non-Azure resources, create an AAD identity. Grant each AAD identity the minimum permission it requires. When possible, we recommend you use one of the 2 built-in role definitions: Cosmos DB Built-in Data Reader or Cosmos DB Built-in Data Contributor. Validate that the new resource is functioning correctly. After new permissions are granted to identities, it may take a few hours until they propagate. When all resources are working correctly with the new identities, continue to the next step. You can use the az resource update powershell command: $cosmosdbname = 'cosmos-db-account-name' $resourcegroup = 'resource-group-name' $cosmosdb = az cosmosdb show --name $cosmosdbname --resource-group $resourcegroup | ConvertFrom-Json az resource update --ids $cosmosdb.id --set properties.disableLocalAuth=true --latest- include-preview",
+      "Text": "Disable local authentication by setting `disableLocalAuth=true` and require **Entra ID + Azure RBAC** for control and data access. Use **managed identities**, apply **least privilege** roles, retire shared keys, and enforce **zero trust** with conditional access and short-lived credentials.",
-      "Url": "https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control"
+      "Url": "https://hub.prowler.com/check/cosmosdb_account_use_aad_and_rbac"
    }
  },
-  "Categories": [],
+  "Categories": [
    "identity-access",
    "secrets"
  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_private_endpoints/cosmosdb_account_use_private_endpoints.metadata.json
+++ b/prowler/providers/azure/services/cosmosdb/cosmosdb_account_use_private_endpoints/cosmosdb_account_use_private_endpoints.metadata.json
@@ -1,30 +1,37 @@
 {
  "Provider": "azure",
  "CheckID": "cosmosdb_account_use_private_endpoints",
-  "CheckTitle": "Ensure That Private Endpoints Are Used Where Possible",
+  "CheckTitle": "Cosmos DB account uses private endpoint connections",
  "CheckType": [],
  "ServiceName": "cosmosdb",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "medium",
+  "Severity": "high",
-  "ResourceType": "CosmosDB",
+  "ResourceType": "microsoft.documentdb/databaseaccounts",
  "ResourceGroup": "database",
-  "Description": "Private endpoints limit network traffic to approved sources.",
+  "Description": "**Azure Cosmos DB accounts** are assessed for **private endpoint connections** that keep data-plane traffic on private IPs within authorized virtual networks.",
-  "Risk": "For sensitive data, private endpoints allow granular control of which services can communicate with Cosmos DB and ensure that this network traffic is private. You set this up on a case by case basis for each service you wish to be connected.",
+  "Risk": "Without **private endpoints**, access may use public endpoints or broad IP rules, enabling:\n- interception and credential replay\n- unauthorized queries and data exfiltration\n- lateral movement via exposed paths\n\nThis degrades **confidentiality** and can impact **availability** under abusive traffic.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints",
+  "RelatedUrl": "",
  "AdditionalURLs": [
    "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints?tabs=arm-bicep",
    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/CosmosDB/use-private-endpoints.html"
  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
+      "CLI": "az network private-endpoint create --name <example_resource_name> --resource-group <example_resource_name> --vnet-name <example_resource_name> --subnet <example_resource_name> --private-connection-resource-id /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<example_resource_name>/providers/Microsoft.DocumentDB/databaseAccounts/<example_resource_name> --group-ids Sql --connection-name <example_resource_name>",
-      "NativeIaC": "",
+      "NativeIaC": "```bicep\n// Create a Private Endpoint to a Cosmos DB account (adds a private endpoint connection)\nresource pe 'Microsoft.Network/privateEndpoints@2025-05-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  properties: {\n    subnet: { id: '<example_subnet_id>' }\n    privateLinkServiceConnections: [\n      {\n        name: 'conn'\n        properties: {\n          privateLinkServiceId: '<example_cosmosdb_account_id>' // CRITICAL: attaches PE to the Cosmos DB account\n          groupIds: ['Sql'] // CRITICAL: targets Cosmos DB NoSQL subresource so the connection is created\n        }\n      }\n    ]\n  }\n}\n```",
-      "Other": "",
+      "Other": "1. In Azure Portal, open your Cosmos DB account\n2. Go to Networking > Private access\n3. Click + Private endpoint\n4. Resource type: Microsoft.AzureCosmosDB/databaseAccounts; Resource: select your account; Target subresource: Sql\n5. Select your Virtual network and Subnet\n6. Click Review + create, then Create\n7. Verify the private endpoint connection appears under Networking > Private access",
-      "Terraform": ""
+      "Terraform": "```hcl\n# Create a Private Endpoint to a Cosmos DB account (adds a private endpoint connection)\nresource \"azurerm_private_endpoint\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  location            = \"<location>\"\n  resource_group_name = \"<example_resource_name>\"\n  subnet_id           = \"<example_subnet_id>\"\n\n  private_service_connection {\n    name                           = \"<example_resource_name>\"\n    private_connection_resource_id = \"<example_cosmosdb_account_id>\" # CRITICAL: Cosmos DB account ID\n    subresource_names              = [\"Sql\"]                           # CRITICAL: targets Cosmos DB subresource to create the connection\n  }\n}\n```"
    },
    "Recommendation": {
-      "Text": "1. Open the portal menu. 2. Select the Azure Cosmos DB blade. 3. Select the Azure Cosmos DB account. 4. Select Networking. 5. Select Private access. 6. Click + Private Endpoint. 7. Provide a Name. 8. Click Next. 9. From the Resource type drop down, select Microsoft.AzureCosmosDB/databaseAccounts. 10. From the Resource drop down, select the Cosmos DB account. 11. Click Next. 12. Provide appropriate Virtual Network details. 13. Click Next. 14. Provide appropriate DNS details. 15. Click Next. 16. Optionally provide Tags. 17. Click Next : Review + create. 18. Click Create.",
+      "Text": "Adopt **Azure Private Link** for Cosmos DB:\n- Create private endpoints for required subresources\n- Link a private DNS zone so clients resolve to private IPs\n- Set `PublicNetworkAccess=Disabled`; keep tight firewall rules\n- Allow only needed VNets/subnets; apply NSGs\n- Enforce least privilege and monitor access patterns",
-      "Url": "https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-cosmosdb-portal"
+      "Url": "https://hub.prowler.com/check/cosmosdb_account_use_private_endpoints"
    }
  },
-  "Categories": [],
+  "Categories": [
    "internet-exposed",
    "trust-boundaries"
  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": "Only whitelisted services will have access to communicate with the Cosmos DB."