IMPORTANT: DevOps Kit (AzSK) is being sunset by end of FY21. More details here
| Description & Rationale | ControlSeverity | Automated | Fix Script |
|---|---|---|---|
| Cosmos DB firewall should be enabled Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. While this may not be feasible in all scenarios, when it can be used, it provides an extra layer of access control protection for critical assets. | High | Yes | No |
| Configure only the required IP addresses on Cosmos DB firewall Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. For effective usage, whitelist only the required IPs. Whitelisting larger ranges like 0.0.0.0/0, 0.0.0.0/1, 128.0.0.0/1, etc. will defeat the purpose. | High | Yes | No |
| Do not use 'Eventual' consistency Using Eventual consistency might cause undesired effects due to its ordering guarantees. This consistency is the weakest of all and the values returned in reads are always not guaranteed to be latest write. | High | Yes | No |
| Use global replication Replication ensures continuity and rapid recovery during disasters. | Medium | Yes | No |
| Use automatic failover Automatic failover ensures continuity and auto recovery during disasters. | Medium | Yes | No |
| Use parameterized SQL queries Parameterized SQL queries nullify the possibility of SQL injection by pre-compiling the query. This will treat user input values purely as data. | High | No | No |
| CosmosDb Account keys must be rotated periodically Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks. | Medium | No | No |
| Generate resource tokens with just enough privileges and expiry needed by clients Using appropriate ACLs ensures that data is protected and accessible only to the entities with the appropriate level of access. | High | No | No |
| Do not send resource token with read write (RW) permission to untrusted clients An untrusted client might use the read-write resource tokens that it received to make undesirable updates to the resource. | High | No | No |