Azure Cosmos DB key based authentication is enabled
Description
In 2019, Microsoft added a feature called Jupyter Notebook to Cosmos DB that lets customers visualize their data and create customized views. The feature was automatically turned on for all Cosmos DBs in February 2021. A series of misconfigurations in the notebook feature opened up a new attack vector - the notebook container allowed for a privilege escalation into other customer notebooks. As a result, an attacker could gain access to customers`' Cosmos DB primary keys and other highly sensitive secrets such as the notebook blob storage access token. For more details visit - https://msrc-blog.microsoft.com/2021/08/27/update-on-vulnerability-in-the-azure-cosmos-db-jupyter-notebook-feature/ One way to reduce risk is to prevent management plane changes for clients using key based authentication. CosmosDB access keys are mainly used by applications to access data in CosmosDB containers. It is rare for organizations to have use cases where the keys are used to make management changes.
Code Example
resource "azurerm_cosmosdb_account" "db" {
name = "db"
...
+ access_key_metadata_writes_enabled = false
}Remediation
Terraform
- Resource: azurerm_cosmosdb_account
- Arguments: access_key_metadata_writes_enabled
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0639 |
| Severity | LOW |
| IaC Type | arm |
| Frameworks | ARM, |
| Checkov ID | CKV_AZURE_132 |