AzPolicyAdvertizer

last sync: 2024-Sep-18 17:50:24 UTC

Cosmos DB database accounts should have local authentication methods disabled

Azure BuiltIn Policy definition

Source Azure Portal
Display name Cosmos DB database accounts should have local authentication methods disabled
Id 5450f5bd-9c72-4390-a9c4-a7aba4edfdd2
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Cosmos DB
Microsoft Learn
Description Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth.
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (2)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.DocumentDB/databaseAccounts/capabilities[*].name Microsoft.DocumentDB databaseAccounts properties.capabilities[*].name True False
Microsoft.DocumentDB/databaseAccounts/disableLocalAuth Microsoft.DocumentDB databaseAccounts properties.disableLocalAuth True True
Rule resource types IF (1)
Microsoft.DocumentDB/databaseAccounts
Compliance
The following 3 compliance controls are associated with this Policy definition 'Cosmos DB database accounts should have local authentication methods disabled' (5450f5bd-9c72-4390-a9c4-a7aba4edfdd2)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 IM-1 Azure_Security_Benchmark_v3.0_IM-1 Microsoft cloud security benchmark IM-1 Identity Management Use centralized identity and authentication system Shared **Security Principle:** Use a centralized identity and authentication system to govern your organization's identities and authentications for cloud and non-cloud resources. **Azure Guidance:** Microsoft Entra ID is Azure's identity and authentication management service. You should standardize on Microsoft Entra ID to govern your organization's identity and authentication in: - Microsoft cloud resources, such as the Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications. - Your organization's resources, such as applications on Azure, third-party applications running on your corporate network resources, and third-party SaaS applications. - Your enterprise identities in Active Directory by synchronization to Microsoft Entra ID to ensure a consistent and centrally managed identity strategy. Note: As soon as it is technically feasible, you should migrate on-premises Active Directory based applications to Microsoft Entra ID. This could be a Microsoft Entra Enterprise Directory, Business to Business configuration, or Business to consumer configuration. **Implementation and additional context:** Tenancy in Microsoft Entra ID: https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps How to create and configure a Microsoft Entra instance: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant Define Microsoft Entra ID tenants: https://azure.microsoft.com/resources/securing-azure-environments-with-azure-active-directory/ Use external identity providers for an application: https://docs.microsoft.com/azure/active-directory/b2b/identity-providers n/a link 15
CIS_Azure_2.0.0 4.5.3 CIS_Azure_2.0.0_4.5.3 CIS Microsoft Azure Foundations Benchmark recommendation 4.5.3 4.5 Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible. Shared n/a Cosmos DB can use tokens or AAD for client authentication which in turn will use Azure RBAC for authorization. Using AAD is significantly more secure because AAD handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure. AAD client authentication is considerably more secure than token-based authentication because the tokens must be persistent at the client. AAD does not require this. link 1
New_Zealand_ISM 16.1.32.C.01 New_Zealand_ISM_16.1.32.C.01 New_Zealand_ISM_16.1.32.C.01 16. Access Control and Passwords Identification n/a Agencies MUST ensure that all system users are uniquely identifiable; and authenticated on each occasion that access is granted to a system. 18
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Preview]: Control the use of CosmosDB in a Virtual Enclave 6bd484ca-ae8d-46cf-9b33-e1feef84bfba VirtualEnclaves Preview BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
Enforce recommended guardrails for Cosmos DB Enforce-Guardrails-CosmosDb Cosmos DB GA ALZ
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2023-05-26 17:43:09 change Minor (1.0.0 > 1.1.0)
2021-07-07 15:26:31 add 5450f5bd-9c72-4390-a9c4-a7aba4edfdd2
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC