Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Regenerate Access Keys for Azure Cosmos DB Accounts

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the access keys created for your Microsoft Azure Cosmos DB accounts are regularly regenerated (rotated) in order to meet security and compliance requirements. By default, it is recommended to regenerate access keys every 90 days.

Security

The access keys created for your Azure Cosmos DB accounts should be regenerated periodically to enhance security by minimizing the risk of unauthorized access if the keys are compromised. Regularly updating access keys helps protect sensitive data and maintain the integrity of the system.

Audit

To regenerate (rotate) the access keys generated for your Azure Cosmos DB accounts, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cosmos DB account for Value, then choose Apply to list the Azure Cosmos DB accounts available in the selected subscription.

05 Click on the name (link) of the Azure Cosmos DB account that you want to examine.

06 In the resource navigation panel, under Settings, choose Keys, select the Read-write Keys/Read-only Keys tab, and check the last creation date of PRIMARY KEY and SECONDARY KEY, listed next to Last regenerated. If more than 90 days have passed since the PRIMARY KEY and/or SECONDARY KEY was created, the access key is not rotated on a regular basis. If an access key is older than 90 days, the key is outdated and needs to be regenerated in order to secure the access to the Azure Cosmos DB account.

07 Repeat steps no. 5 and 6 for each Azure Cosmos DB account available in the selected subscription.

08 Repeat steps no. 3 – 7 for each Azure subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cosmosdb list command (Windows/macOS/Linux) with custom output filters to list the ID of each Azure Cosmos DB account available in the selected subscription: 

az cosmosdb list
	--query '[*].id'

05 The command output should return the requested Azure Cosmos DB account IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-cosmos-prod-dba-account"
]

06 Run cosmosdb show command (Windows/macOS/Linux) with the name of the Azure Cosmos DB account that you want to examine as the identifier parameter and custom output filters to describe the creation date for each access key generated for the selected Cosmos DB account: 

az cosmosdb show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database"
	--query 'keysMetadata'

07 The command output should return the creation date for the read-write and read-only keys: 

{
	"primaryMasterKey": {
		"generationTime": "2025-01-15T06:56:54.757020+00:00"
	},
	"primaryReadonlyMasterKey": {
		"generationTime": "2025-01-15T06:56:54.757020+00:00"
	},
	"secondaryMasterKey": {
		"generationTime": "2025-01-15T06:56:54.757020+00:00"
	},
	"secondaryReadonlyMasterKey": {
		"generationTime": "2025-01-15T06:56:54.757020+00:00"
	}
}

Check the "generationTime" attribute value (timestamp) returned by the cosmosdb show command output to determine when each access key was created. If more than 90 days have passed since an access key was created, the credentials generated for the selected Azure Cosmos DB account are not being rotated regularly.

08 Repeat steps no. 6 and 7 for each Azure Cosmos DB account available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To rotate (regenerate) outdated access keys for your Azure Cosmos DB accounts, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cosmos DB account for Value, then choose Apply to list the Azure Cosmos DB accounts available in the selected subscription.

05 Click on the name (link) of the Azure Cosmos DB account that you want to configure.

06 In the resource navigation panel, under Settings, choose Keys, and perform the following actions to rotate the outdated access keys:

  1. Select the Read-write Keys/Read-only Keys tab and click on the Regenerate Primary Key button (i.e., refresh icon) next to PRIMARY KEY and Regenerate Secondary Key button next to SECONDARY KEY.
  2. Choose OK for confirmation. The regeneration process will start immediately.

07 Update all your applications and systems to replace the outdated access keys with the new ones created in the previous step.

08 Repeat steps no. 5 – 7 for each Azure Cosmos DB account that you want to configure, available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cosmosdb update command (Windows/macOS/Linux) to rotate (regenerate) outdated access keys for the selected Azure Cosmos DB account. Use the --key-kind command parameter to specify the type of the key that you want to regenerate. The accepted value are: "primary", "primaryReadonly", "secondary, and "secondaryReadonly". Configure the --key-kind parameter and run the command for each supported key type (the command does not produce an output): 

az cosmosdb keys regenerate
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database"
	--key-kind "primary"

05 Update all your applications and systems to replace the outdated access keys with the new ones created in the previous step.

06 Repeat step no. 4 for each Azure Cosmos DB account that you want to configure, available within the selected subscription.

07 Repeat steps no. 3 – 6 for each Azure subscription created within your Microsoft Azure cloud account.

References

Publication date May 28, 2025

Related CosmosDB rules