MSDN Documentation

Azure Cosmos DB Security Best Practices

Last updated: October 26, 2023

This document outlines the recommended security best practices for Azure Cosmos DB to help you protect your data and ensure compliance.

Data Encryption

Azure Cosmos DB encrypts all data at rest and in transit by default. This includes:

  • Encryption at Rest: Data stored in Azure Cosmos DB is automatically encrypted using AES-256. You can optionally use your own keys managed by Azure Key Vault (Customer-Managed Keys - CMK) for an additional layer of control.
  • Encryption in Transit: All client connections to Azure Cosmos DB are secured using TLS 1.2.

Customer-Managed Keys (CMK)

For enhanced control over encryption keys, you can enable Customer-Managed Keys for your Azure Cosmos DB accounts. This involves:

  • Creating or using an existing Azure Key Vault.
  • Configuring managed identities for your Azure Cosmos DB account.
  • Granting the managed identity appropriate permissions in Key Vault.
  • Enabling CMK on your Azure Cosmos DB account, linking it to your Key Vault.

Note: Enabling CMK requires careful planning, especially for existing accounts. Consider enabling it during account creation.

Network Security

Control network access to your Azure Cosmos DB accounts using a combination of methods:

Firewall Rules

Azure Cosmos DB provides a built-in firewall that allows you to restrict access to your account based on IP addresses or IP ranges. You can configure this through the Azure portal, Azure CLI, or Azure PowerShell.

Virtual Network (VNet) Service Endpoints

You can restrict your Azure Cosmos DB account to only accept requests from a specific virtual network. This ensures that your data can only be accessed from within your trusted VNet environment.

Private Endpoints

Azure Private Endpoint provides the best network isolation by allowing you to access Azure Cosmos DB from your VNet without exposing your account to the public internet. It assigns a private IP address from your VNet to the Azure Cosmos DB account.

Access Control

Implement robust access control mechanisms to ensure that only authorized users and applications can access your data.

Role-Based Access Control (RBAC)

Azure RBAC is the primary mechanism for managing access to Azure resources, including Azure Cosmos DB. You can assign roles like "Contributor" or "Reader" at different scopes (subscription, resource group, or individual account).

Resource Tokens and Master Keys

Azure Cosmos DB uses a combination of master keys and resource tokens for authentication and authorization:

  • Master Keys: Grant full administrative access to an Azure Cosmos DB account. These should be managed securely and used sparingly, primarily for management operations.
  • Resource Tokens: Provide fine-grained access control to specific resources (databases, collections, documents) within an Azure Cosmos DB account. These are typically generated by an application or service and are ideal for client-side access.

Best Practice: Avoid using master keys for application access. Instead, generate and manage resource tokens for your applications.

Data Plane RBAC

For granular control over data operations (CRUD operations on items), Azure Cosmos DB supports data plane RBAC. This allows you to assign permissions to specific users or service principals for actions like reading, writing, or deleting data within collections. You can leverage Azure AD identities to authenticate data plane operations.

Auditing and Monitoring

Regularly audit and monitor your Azure Cosmos DB accounts to detect suspicious activity and ensure compliance.

Azure Monitor and Diagnostic Logs

Azure Cosmos DB integrates with Azure Monitor to provide comprehensive metrics and logs. You can collect diagnostic logs for:

  • Requests: Information about each request made to the database.
  • Audit: Detailed audit logs of operations performed on your account.
  • AllMetrics: Metrics related to performance and usage.

Configure these logs to be sent to Azure Log Analytics, Storage Accounts, or Event Hubs for analysis and alerting.

Azure Security Center

Azure Security Center provides security recommendations and threat detection for your Azure Cosmos DB resources. Review its recommendations regularly.

Application Security

Secure your applications that interact with Azure Cosmos DB:

  • Secure Connection Strings: Do not embed connection strings directly in your application code. Use secure methods like Azure Key Vault to store and retrieve them.
  • Least Privilege Principle: Grant your application's identity only the permissions it needs to perform its tasks.
  • Input Validation: Always validate user input to prevent injection attacks.
  • SDK Security: Keep your Azure Cosmos DB SDKs updated to the latest versions to benefit from security patches and enhancements.

Compliance

Azure Cosmos DB helps you meet various compliance requirements. Refer to the Microsoft Trust Center for detailed information on Azure compliance offerings.

Key Takeaways

  • Enable Encryption at Rest and in Transit.
  • Configure Customer-Managed Keys for enhanced control.
  • Utilize firewalls, VNet service endpoints, and Private Endpoints for network security.
  • Implement RBAC and resource tokens for robust access control.
  • Enable auditing and monitoring through Azure Monitor.
  • Secure your applications by managing credentials securely and following the principle of least privilege.

By adhering to these best practices, you can significantly enhance the security posture of your Azure Cosmos DB deployments.