feat(new): Added Azure.Cosmos.DisableLocalAuth (#2862)
* feat(new): Added Azure.Cosmos.DisableLocalAuth * Update Azure.Cosmos.DisableLocalAuth.md * Update Azure.Cosmos.DisableLocalAuth.md * fix: Fixed tests * Delete src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1 * fix: Rollback * Delete tests/PSRule.Rules.Azure.Tests/testing.json * Update docs/en/rules/Azure.Cosmos.DisableLocalAuth.md Co-authored-by: Bernie White <bewhite@microsoft.com> * Update src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 Co-authored-by: Bernie White <bewhite@microsoft.com> --------- Co-authored-by: Bernie White <bewhite@microsoft.com>
This commit is contained in:
Родитель
616f8e8868
Коммит
40ac4fe929
|
@ -35,6 +35,8 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
|
|||
|
||||
- New rules:
|
||||
- Cosmos DB:
|
||||
- Check that database accounts have local authentication disabled by @BenjaminEngeset.
|
||||
[#2846](https://github.com/Azure/PSRule.Rules.Azure/issues/2846)
|
||||
- Check that database accounts have public network access disabled by @BenjaminEngeset.
|
||||
[#2702](https://github.com/Azure/PSRule.Rules.Azure/issues/2702)
|
||||
|
||||
|
|
|
@ -0,0 +1,102 @@
|
|||
---
|
||||
severity: Critical
|
||||
pillar: Security
|
||||
category: SE:05 Identity and access
|
||||
resource: Cosmos DB
|
||||
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.DisableLocalAuth/
|
||||
---
|
||||
|
||||
# Disable local authentication on Cosmos DB
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
Azure Cosmos DB should have local authentication disabled.
|
||||
|
||||
## DESCRIPTION
|
||||
|
||||
Every request to an Cosmos DB Account resource must be authenticated.
|
||||
Cosmos DB supports authenticating requests using either Entra ID (previously Azure AD) identities or local authentication.
|
||||
Local authentication uses accounts keys that are granted permissions to the entire Cosmos DB Account.
|
||||
|
||||
Using Entra ID, provides consistency as a single authoritative source which:
|
||||
|
||||
- Increases clarity and reduces security risks from human errors and configuration complexity.
|
||||
- Allows granting of permissions using role-based access control (RBAC).
|
||||
- Provides support for advanced identity security and governance features.
|
||||
|
||||
Disabling local authentication ensures that Entra ID is used exclusively for authentication.
|
||||
Any subsequent requests to the resource using account keys will be rejected.
|
||||
|
||||
## RECOMMENDATION
|
||||
|
||||
Consider disabling local authentication on Cosmos DB.
|
||||
|
||||
## EXAMPLES
|
||||
|
||||
### Configure with Azure template
|
||||
|
||||
To deploy database accounts that pass this rule:
|
||||
|
||||
- Set the `properties.disableLocalAuth` property to `true`.
|
||||
|
||||
For example:
|
||||
|
||||
```json
|
||||
{
|
||||
"type": "Microsoft.DocumentDB/databaseAccounts",
|
||||
"apiVersion": "2023-11-15",
|
||||
"name": "[parameters('name')]",
|
||||
"location": "[parameters('location')]",
|
||||
"kind": "GlobalDocumentDB",
|
||||
"properties": {
|
||||
"disableLocalAuth": true,
|
||||
"locations": [
|
||||
{
|
||||
"locationName": "[parameters('location')]",
|
||||
"failoverPriority": 0,
|
||||
"isZoneRedundant": true
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Configure with Bicep
|
||||
|
||||
To deploy database accounts that pass this rule:
|
||||
|
||||
- Set the `properties.disableLocalAuth` property to `true`.
|
||||
|
||||
For example:
|
||||
|
||||
```bicep
|
||||
resource account 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' = {
|
||||
name: name
|
||||
location: location
|
||||
kind: 'GlobalDocumentDB'
|
||||
properties: {
|
||||
disableLocalAuth: true
|
||||
locations: [
|
||||
{
|
||||
locationName: location
|
||||
failoverPriority: 0
|
||||
isZoneRedundant: true
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## NOTES
|
||||
|
||||
Enforcing role-based access control as the only authentication method is currently only supported for the `NoSQL API`.
|
||||
|
||||
## LINKS
|
||||
|
||||
- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/design-identity-authentication)
|
||||
- [Enforcing role-based access control as the only authentication method](https://learn.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth)
|
||||
- [Configure role-based access control with Microsoft Entra ID for your Azure Cosmos DB account management plane](https://learn.microsoft.com/azure/cosmos-db/role-based-access-control)
|
||||
- [Configure role-based access control with Microsoft Entra ID for your Azure Cosmos DB account data plane](https://learn.microsoft.com/azure/cosmos-db/how-to-setup-rbac)
|
||||
- [Azure security baseline for Azure Cosmos DB](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cosmos-db-security-baseline)
|
||||
- [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-cosmos-db-security-baseline#im-1-use-centralized-identity-and-authentication-system)
|
||||
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts)
|
|
@ -7,24 +7,31 @@
|
|||
#region Rules
|
||||
|
||||
# Synopsis: Enable Microsoft Defender for Azure Cosmos DB.
|
||||
Rule 'Azure.Cosmos.DefenderCloud' -Ref 'AZR-000382' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration.AZURE_COSMOS_DEFENDER_PER_ACCOUNT -and (IsNoSQL) } -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-2', 'LT-1' } {
|
||||
Rule 'Azure.Cosmos.DefenderCloud' -Ref 'AZR-000382' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration.AZURE_COSMOS_DEFENDER_PER_ACCOUNT -and (Test-IsNoSQL) } -Tag @{ release = 'GA'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-2', 'LT-1' } {
|
||||
$defender = @(GetSubResources -ResourceType 'Microsoft.Security/advancedThreatProtectionSettings' |
|
||||
Where-Object { $_.properties.isEnabled -eq $True })
|
||||
Where-Object { $_.properties.isEnabled -eq $True })
|
||||
$Assert.GreaterOrEqual($defender, '.', 1).Reason($LocalizedData.SubResourceNotFound, 'Microsoft.Security/advancedThreatProtectionSettings')
|
||||
} -Configure @{ AZURE_COSMOS_DEFENDER_PER_ACCOUNT = $False }
|
||||
|
||||
# Synopsis: Cosmos DB has local authentication disabled.
|
||||
Rule 'Azure.Cosmos.DisableLocalAuth' -Ref 'AZR-000420' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { Test-IsNoSQL } -Tag @{ release = 'GA'; ruleSet = '2024_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'IM-1' } {
|
||||
$Assert.HasFieldValue($TargetObject, 'properties.DisableLocalAuth', $true)
|
||||
}
|
||||
#endregion Rules
|
||||
|
||||
#region Helper functions
|
||||
|
||||
function global:IsNoSQL {
|
||||
function global:Test-IsNoSQL {
|
||||
[CmdletBinding()]
|
||||
param ()
|
||||
process {
|
||||
if (!$TargetObject.kind -or !$TargetObject.properties.capabilites.name) {
|
||||
$True
|
||||
}
|
||||
param ( )
|
||||
|
||||
if ($TargetObject.kind -ne 'GlobalDocumentDB') {
|
||||
return $false
|
||||
}
|
||||
if (-not $TargetObject.properties.capabilities) {
|
||||
return $true
|
||||
}
|
||||
$TargetObject.properties.capabilities.Where({ $_.name -in @('EnableTable', 'EnableCassandra', 'EnableGremlin') }, 'First').Count -eq 0
|
||||
}
|
||||
|
||||
#endregion Helper functions
|
||||
|
|
|
@ -78,6 +78,20 @@ Describe 'Azure.Cosmos' -Tag 'Cosmos', 'CosmosDB' {
|
|||
$ruleResult.TargetName | Should -BeIn 'graph-B', 'nosql-A', 'nosql-B', 'nosql-C';
|
||||
}
|
||||
|
||||
It 'Azure.Cosmos.DisableLocalAuth' {
|
||||
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.DisableLocalAuth' };
|
||||
|
||||
# Fail
|
||||
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
|
||||
$ruleResult.Length | Should -Be 2;
|
||||
$ruleResult.TargetName | Should -BeIn 'nosql-A', 'nosql-B';
|
||||
|
||||
# Pass
|
||||
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
|
||||
$ruleResult.Length | Should -Be 1;
|
||||
$ruleResult.TargetName | Should -BeIn 'nosql-C';
|
||||
}
|
||||
|
||||
It 'Azure.Cosmos.PublicAccess' {
|
||||
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.PublicAccess' };
|
||||
|
||||
|
@ -186,11 +200,8 @@ Describe 'Azure.Cosmos' -Tag 'Cosmos', 'CosmosDB' {
|
|||
|
||||
# Fail
|
||||
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
|
||||
$ruleResult.Length | Should -Be 4;
|
||||
$ruleResult.TargetName | Should -BeIn 'graph-A', 'graph-B', 'nosql-A', 'nosql-B';
|
||||
|
||||
$ruleResult[0].Reason | Should -BeExactly "A sub-resource of type 'Microsoft.Security/advancedThreatProtectionSettings' has not been specified.";
|
||||
$ruleResult[1].Reason | Should -BeExactly "A sub-resource of type 'Microsoft.Security/advancedThreatProtectionSettings' has not been specified.";
|
||||
$ruleResult.Length | Should -Be 2;
|
||||
$ruleResult.TargetName | Should -BeIn 'nosql-A', 'nosql-B';
|
||||
|
||||
# Pass
|
||||
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
|
||||
|
|
|
@ -296,6 +296,7 @@
|
|||
],
|
||||
"databaseAccountOfferType": "Standard",
|
||||
"enableAutomaticFailover": true,
|
||||
"disableLocalAuth": false,
|
||||
"publicNetworkAccess": "Enabled"
|
||||
},
|
||||
"ResourceGroupName": "test-rg",
|
||||
|
@ -342,7 +343,14 @@
|
|||
],
|
||||
"databaseAccountOfferType": "Standard",
|
||||
"enableAutomaticFailover": true,
|
||||
"disableLocalAuth": true,
|
||||
"capabilities": [
|
||||
{
|
||||
"name": "EnableServerless"
|
||||
}
|
||||
],
|
||||
"publicNetworkAccess": "Disabled"
|
||||
|
||||
},
|
||||
"ResourceGroupName": "test-rg",
|
||||
"Type": "Microsoft.DocumentDB/databaseAccounts",
|
||||
|
|
Загрузка…
Ссылка в новой задаче