5.4.2 Ensure That Private Endpoints Are Used Where Possible

Information

Private endpoints limit network traffic to approved sources.

Rationale:

For sensitive data, private endpoints allow granular control of which services can communicate with Cosmos DB and ensure that this network traffic is private. You set this up on a case by case basis for each service you wish to be connected.

Impact:

Only whitelisted services will have access to communicate with the Cosmos DB.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Remediate from Azure Portal

Open the portal menu.

Select the Azure Cosmos DB blade.

Select the Azure Cosmos DB account.

Select Networking.

Select Private access.

Click + Private Endpoint.

Provide a Name.

Click Next.

From the Resource type drop down, select Microsoft.AzureCosmosDB/databaseAccounts.

From the Resource drop down, select the Cosmos DB account.

Click Next.

Provide appropriate Virtual Network details.

Click Next.

Provide appropriate DNS details.

Click Next.

Optionally provide Tags.

Click Next : Review + create.

Click Create.

Default Value:

By default Cosmos DB does not have private endpoints enabled and its traffic is public to the network.

See Also

https://workbench.cisecurity.org/benchmarks/16820

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|14.1

Plugin: microsoft_azure

Control ID: 6147902d282716cd561c58d1597f0ab469501f8fa56b231720bdc5c02b80c464