Restrict user access to data operations in Azure Cosmos DB

Security · Cosmos DB · Rule · 2021_09 · Important

Use Entra ID identities for management place operations in Azure Cosmos DB.

Description

Cosmos DB provides two authorization options for interacting with the database:

• Entra ID identities (previously known as Azure AD). Can be used to authorize account and resource management operations.
• Keys and resource tokens. Can be used to authorize resource management and data operations.

Resource management operations include management of databases, indexes, and containers. By default, keys are permitted to perform resource management operations. You can restrict these operations to Azure Resource Manager (ARM) calls only.

Recommendation

Consider limiting key and resource tokens to data plane operations only. Use Microsoft Entra ID identities for authorizing account and resource management operations.

Examples

Configure with Azure template

To deploy Cosmos DB accounts that pass this rule:

• Set the Properties.disableKeyBasedMetadataWriteAccess property to true.

For example:

Azure Template snippet

{
  "type": "Microsoft.DocumentDB/databaseAccounts",
  "apiVersion": "2023-04-15",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "enableFreeTier": false,
    "consistencyPolicy": {
      "defaultConsistencyLevel": "Session"
    },
    "databaseAccountOfferType": "Standard",
    "locations": [
      {
        "locationName": "[parameters('location')]",
        "failoverPriority": 0,
        "isZoneRedundant": true
      }
    ],
    "disableKeyBasedMetadataWriteAccess": true
  }
}

Configure with Bicep

To deploy Cosmos DB accounts that pass this rule:

• Set the Properties.disableKeyBasedMetadataWriteAccess property to true.

For example:

Azure Bicep snippet

resource account 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' = {
  name: name
  location: location
  properties: {
    enableFreeTier: false
    consistencyPolicy: {
      defaultConsistencyLevel: 'Session'
    }
    databaseAccountOfferType: 'Standard'
    locations: [
      {
        locationName: location
        failoverPriority: 0
        isZoneRedundant: true
      }
    ]
    disableKeyBasedMetadataWriteAccess: true
  }
}

Configure with Azure Policy

To address this issue at runtime use the following policies:

• Azure Cosmos DB key based metadata write access should be disabled /providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5

Links

• SE:05 Identity and access management
• Restrict user access to data operations in Azure Cosmos DB
• Secure access to data in Azure Cosmos DB
• How does Azure Cosmos DB secure my database?
• Access control in the Azure Cosmos DB SQL API
• Azure resource deployment

Comments