CosmosDB Account IP Range Filter Not Set

  • Query id: e8c80448-31d8-4755-85fc-6dbab69c2717
  • Query name: CosmosDB Account IP Range Filter Not Set
  • Platform: Ansible
  • Severity: Critical
  • Category: Networking and Firewall
  • CWE: Ongoing
  • URL: Github

Description

The IP range filter should be defined to secure the data stored
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: Create Cosmos DB Account - max
  azure_rm_cosmosdbaccount:
    resource_group: myResourceGroup
    name: myDatabaseAccount
    location: westus
    kind: mongo_db
    geo_rep_locations:
      - name: southcentralus
        failover_priority: 0
    database_account_offer_type: Standard
    enable_multiple_write_locations: yes
    virtual_network_rules:
      - subnet: "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVi
                 rtualNetwork/subnets/mySubnet"
    consistency_policy:
      default_consistency_level: bounded_staleness
      max_staleness_prefix: 10
      max_interval_in_seconds: 1000

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Create Cosmos DB Account - max
  azure_rm_cosmosdbaccount:
    resource_group: myResourceGroup
    name: myDatabaseAccount
    location: westus
    kind: mongo_db
    geo_rep_locations:
    - name: southcentralus
      failover_priority: 0
    database_account_offer_type: Standard
    ip_range_filter: 10.10.10.10
    enable_multiple_write_locations: yes
    virtual_network_rules:
    - subnet: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVi
        rtualNetwork/subnets/mySubnet
    consistency_policy:
      default_consistency_level: bounded_staleness
      max_staleness_prefix: 10
      max_interval_in_seconds: 1000