Just recently Wiz released an announcement into a very critical vulnerability in one of Microsoft Azure’s flagship services, Azure Cosmos DB.
Because these things all need great names, Wiz called this one #ChaosDB.
Is my Cosmos DB Database Secure?
“no customer data was accessed because of this vulnerability by third parties or security researchers”
If you were impacted by this vulnerability then Microsoft says that they will have sent you an email and a notification in the Azure Portal.
However, just because someone did not access your data that does not mean that they might not have taken the keys and are holding on to them.
Microsoft did fix the issue very quickly, but that does not mean that customers should not still take action.
What was Exposed?
Through this vulnerability the researchers showed that they were able to access other Microsoft Azure Cosmos DB customers’ access keys.
Those keys are long-lived keys that do not change or expire, ever, unless you, the customer, do it.
Think of those keys as the master keys to your database with which one can do whatever one wants on that database.
This means that just because the issue was patched and this (should not) is not possible to exploit anymore, you still need to regenerate those keys.
Regenerate Cosmos DB Keys
Regenerating all the keys is simple, super simple in fact. Aaron Powell from Microsoft actually has a small script here that does it for you on all your Cosmos DB databases.
Be aware though that regenerating those keys means that all your applications that need to authenticate to Cosmos DB also need their connection strings updated.
We recommend having a regular key rotation schedule as part of your Cosmos DB lifecycle.
Identify Cosmos DB with Old Keys
Identifying all the Cosmos DB accounts with old keys (or keys that have not been recently regenerated) is not straightforward.
Review the Azure Activity Logs and regularly search for events with the operation type “Microsoft.DocumentDB/databaseAccounts/regenerateKey/action”. We recommend rotating those keys at least every 90 days.
Automation
Instead of doing this manually, why not use a service like ARGOS that does this automatically for you?
Identification and optional remediation of this issue is already covered by ARGOS.
If you have not signed up to ARGOS yet then why not spend a few minutes (seriously, minutes!) and sign up to our free trial and see if you have any Cosmos DB databases that have not had their keys regenerated yet.
Sign up at https://app.argos-security.io
