Azure · BernieWhite · May 11, 2024 · May 9, 2024
@@ -33,6 +33,11 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
 
 ## Unreleased
 
+- New rules:
+  - Cosmos DB:
+    - Check that database accounts have public network access disabled by @BenjaminEngeset.
+      [#2702](https://github.com/Azure/PSRule.Rules.Azure/issues/2702)
+
 ## v1.37.0-B0009 (pre-release)
 
 What's changed since v1.36.0:

@@ -0,0 +1,86 @@
+---
+severity: Critical
+pillar: Security
+category: SE:06 Network controls
+resource: Cosmos DB
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.PublicAccess/
+---
+
+# Disable public network access on Cosmos DB
+
+## SYNOPSIS
+
+Azure Cosmos DB should have public network access disabled.
+
+## DESCRIPTION
+
+Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet.
+You can control exposure of your resources by creating private endpoints instead.
+
+## RECOMMENDATION
+
+Consider disabling public network access on Cosmos DB, using private endpoints to control connectivity for data plane operations.
+
+## EXAMPLES
+
+### Configure with Azure template
+
+To deploy database accounts that pass this rule:
+
+- Set the `properties.publicNetworkAccess` property to `Disabled`.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.DocumentDB/databaseAccounts",
+  "apiVersion": "2023-11-15",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "kind": "GlobalDocumentDB",
+  "properties": {
+    "publicNetworkAccess": "Disabled",
+    "locations": [
+      {
+        "locationName": "[parameters('location')]",
+        "failoverPriority": 0,
+        "isZoneRedundant": true
+      }
+    ]
+  }
+}
+```
+
+### Configure with Bicep
+
+To deploy database accounts that pass this rule:
+
+- Set the `properties.publicNetworkAccess` property to `Disabled`.
+
+For example:
+
+```bicep
+resource account 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' = {
+  name: name
+  location: location
+  kind: 'GlobalDocumentDB'
+  properties: {
+    publicNetworkAccess: 'Disabled'
+    locations: [
+      {
+        locationName: location
+        failoverPriority: 0
+        isZoneRedundant: true
+      }
+    ]
+  }
+}
+```
+
+## LINKS
+
+- [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking)  
+- [Configure Azure Private Link for an Azure Cosmos DB account](https://learn.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints)
+- [Azure security baseline for Azure Cosmos DB](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cosmos-db-security-baseline)
+- [NS-2: Secure cloud services with network controls](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cosmos-db-security-baseline#ns-2-secure-cloud-services-with-network-controls)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts)
@@ -19,10 +19,10 @@ metadata:
     ruleSet: 2021_09
     Azure.WAF/pillar: Security
   labels:
-    Azure.MCSB.v1/control: [ 'IM-1', 'IM-2' ]
+    Azure.MCSB.v1/control: ['IM-1', 'IM-2']
 spec:
   type:
-  - Microsoft.DocumentDb/databaseAccounts
+    - Microsoft.DocumentDb/databaseAccounts
   condition:
     field: 'Properties.disableKeyBasedMetadataWriteAccess'
     equals: true
@@ -40,17 +40,17 @@ metadata:
     Azure.WAF/pillar: Operational Excellence
 spec:
   type:
-  - Microsoft.DocumentDb/databaseAccounts
+    - Microsoft.DocumentDb/databaseAccounts
   condition:
     allOf:
-    - name: '.'
-      greaterOrEquals: 3
-    - name: '.'
-      lessOrEquals: 44
-    # Lowercase letters, numbers, and hyphens
-    # Start and end with lettings and numbers
-    - name: '.'
-      match: '^[a-z0-9](-|[a-z0-9]){1,41}[a-z0-9]$'
+      - name: '.'
+        greaterOrEquals: 3
+      - name: '.'
+        lessOrEquals: 44
+      # Lowercase letters, numbers, and hyphens
+      # Start and end with lettings and numbers
+      - name: '.'
+        match: '^[a-z0-9](-|[a-z0-9]){1,41}[a-z0-9]$'
 
 ---
 # Synopsis: Cosmos DB accounts should reject TLS versions older than 1.2.
@@ -65,7 +65,7 @@ metadata:
     Azure.WAF/pillar: Security
 spec:
   type:
-  - Microsoft.DocumentDb/databaseAccounts
+    - Microsoft.DocumentDb/databaseAccounts
   condition:
     field: properties.minimalTlsVersion
     equals: Tls12
@@ -83,9 +83,29 @@ metadata:
     Azure.WAF/pillar: Reliability
 spec:
   type:
-  - Microsoft.DocumentDb/databaseAccounts
+    - Microsoft.DocumentDb/databaseAccounts
   condition:
     field: properties.enableFreeTier
     hasDefault: false
 
+---
+# Synopsis: Cosmos DB has public network access disabled.
+apiVersion: github.com/microsoft/PSRule/v1
+kind: Rule
+metadata:
+  name: Azure.Cosmos.PublicAccess
+  ref: AZR-000421
+  tags:
+    release: GA
+    ruleSet: 2024_06
+    Azure.WAF/pillar: Security
+  labels:
+    Azure.MCSB.v1/control: ['NS-2']
+spec:
+  type:
+    - Microsoft.DocumentDb/databaseAccounts
+  condition:
+    field: properties.publicNetworkAccess
+    equals: Disabled
+
 #endregion Rules
@@ -77,6 +77,20 @@ Describe 'Azure.Cosmos' -Tag 'Cosmos', 'CosmosDB' {
             $ruleResult.Length | Should -Be 4;
             $ruleResult.TargetName | Should -BeIn 'graph-B', 'nosql-A', 'nosql-B', 'nosql-C';
         }
+
+        It 'Azure.Cosmos.PublicAccess' {
+            $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.PublicAccess' };
+
+            # Fail
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
+            $ruleResult.Length | Should -Be 4;
+            $ruleResult.TargetName | Should -BeIn 'graph-A', 'graph-B', 'nosql-A', 'nosql-B';
+
+            # Pass
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
+            $ruleResult.Length | Should -Be 1;
+            $ruleResult.TargetName | Should -BeIn 'nosql-C';
+        }
     }
 
     Context 'Resource name - Azure.Cosmos.AccountName' {

@@ -18,7 +18,6 @@
       "provisioningState": "Succeeded",
       "documentEndpoint": "https://graph-A.documents.azure.com:443/",
       "gremlinEndpoint": "https://graph-A.gremlin.cosmos.azure.com:443/",
-      "publicNetworkAccess": "Enabled",
       "enableAutomaticFailover": false,
       "enableMultipleWriteLocations": false,
       "enablePartitionKeyMonitor": false,
@@ -296,7 +295,8 @@
         }
       ],
       "databaseAccountOfferType": "Standard",
-      "enableAutomaticFailover": true
+      "enableAutomaticFailover": true,
+      "publicNetworkAccess": "Enabled"
     },
     "ResourceGroupName": "test-rg",
     "Type": "Microsoft.DocumentDB/databaseAccounts",
@@ -341,7 +341,8 @@
         }
       ],
       "databaseAccountOfferType": "Standard",
-      "enableAutomaticFailover": true
+      "enableAutomaticFailover": true,
+      "publicNetworkAccess": "Disabled"
     },
     "ResourceGroupName": "test-rg",
     "Type": "Microsoft.DocumentDB/databaseAccounts",