Userinfo for audit RU changes
There is not currently audit RU changes to determine the userinfo. If an unauthorized user makes a change in CosmosDB RUs, it is impossible to make the audit.
We have not yet documented this but this capability is now available. Customers can now audit changes to throughput changes in Cosmos DB.
Here are the steps…
1. Create and deploy an Azure Policy with an audit action on the throughput resource with a scope of the database account.
2. Validate the service principals who should have access to the Cosmos account have proper RBAC roles.
WARNING: This next step will prevent anyone with keys from changing throughput or making any change to Cosmos resources. If your applications using our SDK’s update throughput or make any other change to your Cosmos resources this will break. Unfortunately there is no way to provide this functionality without doing this next step.
3. Next update the Cosmos account and set disableKeyBasedMetadataWriteAccess property to true. Can do this via ARM template or Azure Management Library. AML samples for Cosmos DB are here, https://github.com/Azure-Samples/cosmos-management-net For ARM template simply export your current account and update this property to true.
4. After this step now only authorized service principals can change throughput. With the Azure Policy these actions will be audited.
We are going to document these steps in an upcoming article. But if you’re familiar with Azure Policy and ARM you can do this today.
Thanks for your suggestion.