Azure Cosmos DB Security Reference

Azure Cosmos DB Security Overview

Azure Cosmos DB is a globally distributed, multi-model database service. Ensuring the security of your data within Cosmos DB is paramount. This reference guide covers the comprehensive security features and best practices available.

Authentication and Authorization

Resource Tokens

Resource tokens provide fine-grained access control to specific resources (like documents or attachments) within a Cosmos DB collection. They are generated by the application and can be time-limited.

• Granting read-only or read-write access to specific items.
• Ideal for mobile and web applications needing temporary access.

Master Keys

Master keys provide full administrative access to your Cosmos DB account, including all databases, collections, and data. Use these keys with extreme caution and store them securely.

RBAC (Role-Based Access Control)

Azure Cosmos DB supports Azure RBAC for managing access to Cosmos DB resources at the Azure subscription level. This allows you to define roles and permissions for users, groups, and service principals managing your Cosmos DB accounts.

Built-in Roles:

• Cosmos DB Account Operator: Manage Cosmos DB accounts, but not their data.
• Cosmos DB Data Contributor: Manage Cosmos DB data and tables.
• Cosmos DB Reader: Read Cosmos DB account and data properties.

Data Encryption

Encryption at Rest

All data stored in Azure Cosmos DB is automatically encrypted at rest using AES-256 encryption. This applies to all data, including documents, attachments, backups, and logs. You do not need to perform any configuration to enable this feature.

Encryption in Transit

Connections to Azure Cosmos DB are secured using TLS (Transport Layer Security). The SDKs enforce TLS 1.2 or higher for all connections, ensuring data is encrypted while traveling between your application and the Cosmos DB service.

Network Security

Firewall

You can configure IP firewalls to restrict access to your Cosmos DB account to specific IP addresses or ranges. This adds an extra layer of security, ensuring only authorized networks can communicate with your database.

Virtual Network (VNet) Service Endpoints

Azure Cosmos DB supports VNet service endpoints, allowing you to secure your Cosmos DB account to a specific Azure Virtual Network subnet. This restricts network traffic to only flow over the Azure backbone network.

Private Endpoints

Private Endpoints provide a way to access Azure Cosmos DB over a private endpoint from your virtual network. This assigns a private IP address from your VNet to the Cosmos DB account, effectively bringing the service into your private network.

Auditing and Monitoring

Azure Monitor

Azure Monitor provides comprehensive monitoring of your Cosmos DB resources, including metrics related to throughput, latency, storage, and availability. You can set up alerts based on these metrics.

Azure Activity Log

The Azure Activity Log captures subscription-level events, such as operations performed on Cosmos DB resources (e.g., creating a database, updating a firewall rule). This is crucial for auditing and compliance.

Diagnostic Logs

Diagnostic logs provide detailed logs of operations performed against your Cosmos DB account. You can route these logs to Azure Storage, Azure Event Hubs, or Azure Monitor Logs for analysis and retention.

Security Best Practices Summary

• Use RBAC for managing access to Cosmos DB accounts.
• Grant least privilege when using resource tokens.
• Store master keys securely and rotate them periodically.
• Configure IP firewalls and VNet service endpoints or private endpoints to restrict network access.
• Ensure all connections use TLS.
• Enable and review Azure Monitor, Activity Logs, and Diagnostic Logs.
• Regularly audit your security configurations and access policies.