AzPolicyAdvertizer

last sync: 2021-May-10 15:04:35 UTC

Azure Policy definition

Configure CosmosDB accounts to disable public network access

Name Configure CosmosDB accounts to disable public network access
Azure Portal

Id da69ba51-aaf1-41e5-8651-607cd0b37088

Version 1.0.0
details on versioning

Category Cosmos DB
Microsoft docs

Description Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation.

Mode Indexed

Type BuiltIn

Preview FALSE

Deprecated FALSE

Effect Default: Modify
Allowed: (Modify, Disabled)

Used RBAC Role

Role Name	Role Id
Contributor	b24988ac-6180-42a0-ab88-20f7382dd24c
DocumentDB Account Contributor	5bd9cd88-fe45-4216-938b-f97437e15450

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2021-03-09 14:37:41	add	da69ba51-aaf1-41e5-8651-607cd0b37088

Used in Initiatives none

JSON

{
  "properties": {
    "displayName": "Configure CosmosDB accounts to disable public network access ",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cosmos DB"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Modify",
          "Disabled"
        ],
        "defaultValue": "Modify"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DocumentDB/databaseAccounts"
          },
          {
            "field": "Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess",
            "notEquals": "Disabled"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
            "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450"
          ],
          "conflictEffect": "audit",
          "operations": [
            {
            "condition": "[greaterOrEquals(requestContext().apiVersion, '2021-01-15')]",
              "operation": "addOrReplace",
              "field": "Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess",
              "value": "Disabled"
            }
          ]
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "da69ba51-aaf1-41e5-8651-607cd0b37088"
}