Azure Cosmos DB Security

Cosmos DB security encompasses various aspects including authentication, authorization, and data encryption. This page provides an overview and guidance on securing your Cosmos DB deployments.

Authentication

Cosmos DB supports various authentication methods, including:

SQL Authentication: Using SQL usernames and passwords.
Azure Active Directory (Azure AD): Leveraging Azure AD for centralized identity management and access control.
Managed Service Identity (MSI): Allows Cosmos DB to automatically authenticate with other Azure resources.

Authorization

Cosmos DB uses Role-Based Access Control (RBAC) to control access to your data. You can grant users and Azure AD groups permissions to perform actions, such as read, write, and manage. Consider utilizing Resource Manager Role (Owner, Contributor, Reader) for RBAC.

Important Note: Use the principle of least privilege – grant only the necessary permissions to users.

Data Encryption

Cosmos DB provides transparent data encryption at rest using Microsoft Key Vault. You can also control encryption keys using Customer Managed Keys (CMK).