Skip to content

Cosmos DB account access keys are enabled#

Security · Cosmos DB · Rule · 2024_06 · Critical

Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.

Description#

Every request to an Cosmos DB Account resource must be authenticated. Cosmos DB supports authenticating requests using either Entra ID (previously Azure AD) identities or local authentication. Local authentication uses accounts keys that are granted permissions to the entire Cosmos DB Account.

Using Entra ID, provides consistency as a single authoritative source which:

  • Increases clarity and reduces security risks from human errors and configuration complexity.
  • Allows granting of permissions using role-based access control (RBAC).
  • Provides support for advanced identity security and governance features.

Disabling local authentication ensures that Entra ID is used exclusively for authentication. Any subsequent requests to the resource using account keys will be rejected.

Recommendation#

Consider disabling local authentication on Cosmos DB account and using Entra ID.

Examples#

Configure with Azure template#

To deploy database accounts that pass this rule:

  • Set the properties.disableLocalAuth property to true.

For example:

Azure Template snippet
{
  "type": "Microsoft.DocumentDB/databaseAccounts",
  "apiVersion": "2023-11-15",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "kind": "GlobalDocumentDB",
  "properties": {
    "disableLocalAuth": true,
    "locations": [
      {
        "locationName": "[parameters('location')]",
        "failoverPriority": 0,
        "isZoneRedundant": true
      }
    ]
  }
}

Configure with Bicep#

To deploy database accounts that pass this rule:

  • Set the properties.disableLocalAuth property to true.

For example:

Azure Bicep snippet
resource account 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' = {
  name: name
  location: location
  kind: 'GlobalDocumentDB'
  properties: {
    disableLocalAuth: true
    locations: [
      {
        locationName: location
        failoverPriority: 0
        isZoneRedundant: true
      }
    ]
  }
}

Notes#

Enforcing role-based access control as the only authentication method is currently only supported for the NoSQL API.

Comments