Help Center
Go back to application
Help Center
Go back to application
Platform Terms GlossarySupport and Bug Reporting
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainingsGuidance
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: GCPAuto Checks: AzureEnabling Auto Checks by Reconfiguring the Azure IntegrationEnabling Auto Checks by Reconfiguring the GCP IntegrationEnabling Auto Checks by Reconfiguring the AWS Integration
AWS Auto Checks Detailed Explanations
Azure Auto Checks Detailed Explanations
Verify that Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database ServerVerify that server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database ServerVerify that server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database ServerVerify that server parameter 'log_connections' is set to 'ON' for PostgreSQL Database ServerVerify that 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database ServerVerify that Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database ServerVerify that Activity Log Alert exists for Create Policy AssignmentVerify that Activity Log Alert exists for Create or Update Public IP Address ruleVerify that Activity Log Alert exists for Delete SQL Server Firewall RuleVerify that Activity Log Alert exists for Create or Update SQL Server Firewall RuleVerify that Activity Log Alert exists for Delete Network Security GroupVerify that the storage account containing the container with activity logs is encrypted with Customer Managed KeyVerify that Activity Log Alert exists for Delete Policy AssignmentVerify that Activity Log Alert exists for Create or Update Network Security GroupVerify that Diagnostic Setting captures appropriate categoriesVerify that Activity Log Alert exists for Create or Update Security SolutionVerify that Activity Log Alert exists for Delete Public IP Address ruleVerify that logging for Azure AppService 'HTTP logs' is enabledVerify that logging for Azure Key Vault is 'Enabled'Verify that the Expiration Date is set for all Keys in RBAC Key VaultsEnable Role Based Access Control for Azure Key VaultVerify that Private Endpoints are Used for Azure Key VaultVerify that the Key Vault is RecoverableVerify that HTTP(S) access from the Internet is evaluated and restrictedVerify that SSH access from the Internet is evaluated and restrictedVerify that Network Security Group Flow Log retention period is 'greater than 90 days'Verify that Network Watcher is 'Enabled' for all locations in the Azure subscriptionVerify that RDP access from the Internet is evaluated and restrictedVerify that That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All NetworksVerify that That Private Endpoints Are Used Where PossibleVerify that 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database ServerVerify that 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server

Verify that That Private Endpoints Are Used Where Possible

Framework Reference: A.8.23 Integration: Azure – Cosmos DB (Private Endpoint)

Why this matters
Private endpoints ensure that traffic between your Azure Cosmos DB and other services stays within the Azure backbone network, never traversing the public Internet. This significantly reduces exposure to external threats and gives organizations full control over access paths, making it a key control for data confidentiality and compliance.

What this check does
This Auto Check verifies that Azure Cosmos DB accounts have at least one private endpoint configured, and that the connection state is approved.

Check Logic:
Passes if:

  • A private endpoint exists for the Cosmos DB account
  • Connection state = Approved

Fails if:

  • No private endpoint is configured
    OR
  • Private endpoint exists but is not in approved state

How to fix it

Azure Portal:

  1. Open the Azure portal and go to Cosmos DB
  2. Select the Cosmos DB account
  3. Click Networking β†’ Private access
  4. Click + Private Endpoint
  5. Provide a Name and click Next
  6. Under Resource type, select Microsoft.AzureCosmosDB/databaseAccounts
  7. Under Resource, select your Cosmos DB account
  8. Click Next, then enter:
  9. Virtual network details
  10. DNS configuration
  11. Tags (optional)
  12. Click Next: Review + create, then Create

Azure CLI:

az network private-endpoint create \  --name <private-endpoint-name> \  --resource-group <resource-group> \  --vnet-name <vnet-name> \  --subnet <subnet-name> \  --private-connection-resource-id /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.DocumentDB/databaseAccounts/<cosmosdb-name> \  --group-id Sql \  --connection-name <connection-name>

To verify connection state:

az cosmosdb private-endpoint-connection list \  --account-name <cosmosdb-name> \  --resource-group <resource-group>

PowerShell:

PowerShell command not explicitly provided by the CIS Benchmark. Use Azure Portal or CLI to configure.

Exceptions
None. Private endpoints should be configured wherever network isolation is required.

Was this article helpful?

Powered by Product Fruits