What it is
A Cosmos DB account whose publicNetworkAccess property is set to Enabled, exposing its data-plane endpoint to the public internet. Anyone who can reach the endpoint and holds a key or token can read and write every database and container in the account, no matter which network they connect from.
Why it happens
publicNetworkAccess defaults to Enabled when you create a Cosmos DB account. Locking it down is a separate, deliberate step, and it is easy to skip when a team is focused on getting the app talking to the database.
The trap that catches careful teams is that adding a private endpoint does not disable public access. You wire up Private Link, assume the account is now private, and the public endpoint stays open the whole time because the two settings are independent. Nothing in the portal flags the contradiction, so an account can sit "behind" a private endpoint and still answer the internet.
What it costs / blast radius
The blast radius is the entire account: every database, container, and document, reachable from any network. (Azure behavior; authored assessment.) Access is gated only by keys or tokens, so a leaked connection string, a key committed to a repo, or a token pulled from a compromised app becomes a direct path to your data with no network boundary in the way. Cosmos DB stores primary keys that grant full account access, which makes the exposed surface unusually high value.
See it
resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2024-05-15' = {
name: 'corp-cosmos'
location: location
kind: 'GlobalDocumentDB'
properties: {
databaseAccountOfferType: 'Standard'
publicNetworkAccess: 'Enabled' // reachable from the internet, keys are the only gate
locations: [ { locationName: location } ]
}
}resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2024-05-15' = {
name: 'corp-cosmos'
location: location
kind: 'GlobalDocumentDB'
properties: {
databaseAccountOfferType: 'Standard'
publicNetworkAccess: 'Disabled' // the public endpoint stops answering
locations: [ { locationName: location } ]
}
}
// A private endpoint is required for private access, but note:
// adding one does NOT flip publicNetworkAccess for you. Set both.How StratoLens helps
StratoLens flags Cosmos DB accounts with public network access enabled automatically, continuously, across every subscription in your tenant, and catches the setting silently flipping back to Enabled after someone tightens it. You find out that the database is on the internet before an attacker does, not during the incident review.