Ensure Cosmos DB does not allow privileged escalation by restricting management plane changes

Error: CosmosDB account enables privileged escalation by not restricting management plane changes

Bridgecrew Policy ID: BC_AZR_STORAGE_4
Checkov Check ID: CKV_AZURE_132
Bridgecrew Severity: LOW
Prisma Cloud Severity: MEDIUM

CosmosDB account enables privileged escalation by not restricting management plane changes

Description

In 2019, Microsoft added a feature called Jupyter Notebook to Cosmos DB that lets customers visualize their data and create customized views. The feature was automatically turned on for all Cosmos DBs in February 2021. A series of misconfigurations in the notebook feature opened up a new attack vector - the notebook container allowed for a privilege escalation into other customer notebooks. As a result, an attacker could gain access to customers’ Cosmos DB primary keys and other highly sensitive secrets such as the notebook blob storage access token.
For more details visit - https://msrc-blog.microsoft.com/2021/08/27/update-on-vulnerability-in-the-azure-cosmos-db-jupyter-notebook-feature/

One way to reduce risk is to prevent management plane changes for clients using key based authentication. CosmosDB access keys are mainly used by applications to access data in CosmosDB containers. It is rare for organizations to have use cases where the keys are used to make management changes.

Fix - Buildtime

Terraform

  • Resource: azurerm_cosmosdb_account
  • Argument: access_key_metadata_writes_enabled
resource "azurerm_cosmosdb_account" "db" {
  name                = "db"
  ...
+ access_key_metadata_writes_enabled = false
}

ARM Templates

  • Resource: encryptionOperation
  • Argument: EnableEncryption
{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
	...
  "resources": [
    {
      "type": "Microsoft.DocumentDB/databaseAccounts",
      "apiVersion": "2018-07-01",
      "name": "db",
      "properties": {
      	...
+       "disableKeyBasedMetadataWriteAccess": true,
      }
    }
  ]
}