Ensure Azure CosmosDB has Local Authentication disabled

Error: Azure CosmosDB does not have Local Authentication disabled

Bridgecrew Policy ID: BC_AZR_IAM_5
Checkov Check ID: CKV_AZURE_140
Bridgecrew Severity: LOW

Azure CosmosDB does not have Local Authentication disabled


Disabling local authentication for Azure CosmosDB can help improve the security of your database. Local authentication allows users to access the database using a local account and password, rather than an Azure Active Directory (Azure AD) account.

By disabling local authentication, you can ensure that all users must authenticate using an Azure AD account. This can help prevent unauthorized access to the database, and can also help protect against potential security threats such as data breaches or unauthorized access.

Fix - Runtime

Fix - Buildtime


  • Resource: azurerm_cosmosdb_account
  • Argument: local_authentication_disabled
resource "azurerm_cosmosdb_account" "pass" {
  name                          = "pike-sql"
  location                      = "uksouth"
  resource_group_name           = "pike"
  offer_type                    = "Standard"
  kind                          = "GlobalDocumentDB"
  local_authentication_disabled = true
  enable_free_tier              = true

  consistency_policy {
    consistency_level       = "Session"
    max_interval_in_seconds = 5
    max_staleness_prefix    = 100