Data at risk

Cosmos DB Accounts metadata is accessible via SDK (Key-based)

Risk Level

Informational (4)

Compliance Frameworks


The Azure Cosmos DB resource provider can be locked down to prevent any changes to resources from a client connecting using the account keys (that is applications connecting via the Azure Cosmos DB SDK). This feature may be desirable for users who want higher degrees of control and governance for production environments. The clients connecting from Azure Cosmos DB SDK will be prevented from changing any property for the Azure Cosmos DB accounts, databases, containers, and throughput. The operations involving reading and writing data to Azure Cosmos DB containers themselves are not impacted. When this feature is enabled, changes to any resource can only be made from a user with the right Azure role and Azure Active Directory credentials including Managed Service Identities.
  • Recommended Mitigation

    It is recommended restrict write access via SDK (Key-based) to Cosmos DB meta data.