Policy: Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible

Configures auditing against a CIS Benchmark item.

Level: 1

Cosmos DB can use tokens or AAD for client authentication which in turn will use Azure RBAC for authorization. Using AAD is significantly more secure because AAD handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure.

Resource Types

This policy targets the following resource types:

Azure > Subscription

Primary Policy

This policy is used with the following primary policy:

Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB

Attestation

Controls

Policy Specification

Schema Type	`string`
Default	`Per Azure > CIS v2.0 > 04 - Database Services`
Valid Values [YAML]	`Per Azure > CIS v2.0 > 04 - Database Services` `Skip` `Check: Benchmark using attestation`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/v071602

Policy Type URI

tmod:@turbot/azure-cisv2-0#/policy/types/r040503

GraphQL

query policyType(id: "tmod:@turbot/azure-cisv2-0#/policy/types/r040503") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv2-0#/policy/types/r040503'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv2-0#/policy/types/r040503'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/azure-cisv2-0#/policy/types/r040503"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv2-0#/policy/types/r040503"