Azure security baseline for Azure Cosmos DB
This security baseline applies guidance from the Azure Security Benchmark version 2.0 to Azure Cosmos DB. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Azure Cosmos DB.
Note
Controls not applicable to Azure Cosmos DB, and those for which the global guidance is recommended verbatim, have been excluded. To see how Azure Cosmos DB completely maps to the Azure Security Benchmark, see the full Azure Cosmos DB security baseline mapping file.
Network Security
For more information, see the Azure Security Benchmark: Network Security.
NS-1: Implement security for internal traffic
Guidance: When you deploy Cosmos DB resources, create or use an existing virtual network. Ensure that all Azure virtual networks follow an enterprise segmentation principle that aligns with the business risks. Any system that might incur higher risk for the organization should be isolated within its own virtual network and sufficiently secured with a network security group (NSG) and/or Azure Firewall.
Use Microsoft Defender for Cloud Adaptive Network Hardening to recommend network security group configurations that limit ports and source IPs based with the reference to external network traffic rules.
Based on your applications and enterprise segmentation strategy, restrict or allow traffic between internal resources based on your network security group rules. For specific, well-defined applications (such as a 3-tier app), this can be a highly secure deny by default.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.
Azure Policy built-in definitions - Microsoft.DocumentDB:
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Audit, Deny, Disabled | 2.0.0 |
NS-2: Connect private networks together
Guidance: Use Azure ExpressRoute or Azure virtual private network (VPN) to create private connections between Azure datacenters and on-premises infrastructure in a colocation environment. ExpressRoute connections don't go over the public internet, and they offer more reliability, faster speeds, and lower latencies than typical internet connections. For point-to-site VPN and site-to-site VPN, you can connect on-premises devices or networks to a virtual network using any combination of these VPN options and Azure ExpressRoute.
To connect two or more virtual networks in Azure together, use virtual network peering. Network traffic between peered virtual networks is private and is kept on the Azure backbone network.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
NS-3: Establish private network access to Azure services
Guidance: Use Azure Private Link to enable private access to Cosmos DB from your virtual networks without crossing the internet.
Private access is an additional defense in depth measure to the authentication and traffic security offered by Azure services.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
NS-4: Protect applications and services from external network attacks
Guidance: Protect your Cosmos DB resources against attacks from external networks, including distributed denial of service (DDoS) attacks, application-specific attacks, and unsolicited and potentially malicious internet traffic. Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations. Protect your assets against DDoS attacks by enabling DDoS standard protection on your Azure virtual networks. Use Microsoft Defender for Cloud to detect misconfiguration risks to your network related resources.
Cosmos DB is not intended to run web applications, and does not require you to configure any additional settings or deploy any extra network services to protect it from external network attacks targeting web applications.
Manage Azure DDoS Protection Standard using the Azure portal
Quickstart: Create and configure Azure DDoS Protection Standard
Responsibility: Customer
Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.
Azure Policy built-in definitions - Microsoft.DocumentDB:
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Audit, Deny, Disabled | 2.0.0 |
NS-6: Simplify network security rules
Guidance: Use Azure Virtual Network Service Tags to define network access controls on network security groups or Azure Firewall configured for your Cosmos DB resources. You can use service tags in place of specific IP addresses when creating security rules. By specifying the service tag name in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.
The AzureCosmosDB service tag is supported for outbound use and can be regional and can be used with Azure Firewall.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
NS-7: Secure Domain Name Service (DNS)
Guidance: Follow the best practices for DNS security to mitigate against common attacks like dangling DNS, DNS amplifications attacks, DNS poisoning and spoofing, etc.
When Azure DNS is used as your authoritative DNS service, ensure DNS zones and records are protected from accidental or malicious modification using Azure RBAC and resource locks.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Identity Management
For more information, see the Azure Security Benchmark: Identity Management.
IM-1: Standardize Azure Active Directory as the central identity and authentication system
Guidance: Cosmos DB uses Azure Active Directory (Azure AD) as the default identity and access management service. You should standardize Azure AD to govern your organization's identity and access management in:
- Microsoft Cloud resources, such as the Azure portal, Azure Storage, Azure Virtual Machine (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications.
- Your organization's resources, such as applications on Azure or your corporate network resources.
Securing Azure AD should be a high priority in your organization's cloud security practice. Azure AD provides an identity secure score to help you assess identity security posture relative to Microsoft's best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.
Note: Azure AD supports external identities that allows users without a Microsoft account to sign in to their applications and resources with their external identity.
Azure Cosmos DB provides built-in Azure role-based access control (Azure RBAC) for common management scenarios in Azure Cosmos DB. An individual who has a profile in Azure Active Directory can assign these Azure roles to users, groups, service principals, or managed identities to grant or deny access to resources and operations on Azure Cosmos DB resources. Role assignments are scoped to control-plane access only, which includes access to Azure Cosmos accounts, databases, containers, and offers (throughput).
Azure Cosmos DB provides three ways to control access to your data. Primary keys are shared secrets allowing any management or data operation. They come in both read-write and read-only variants. Role-based access control provides fine-grained, role-based permission model using Azure Active Directory (AAD) identities for authentication. Resource tokens provide fine-grained permission model based on native Azure Cosmos DB users and permissions.
Responsibility: Shared
Microsoft Defender for Cloud monitoring: None
IM-2: Manage application identities securely and automatically
Guidance: Cosmos DB supports managed identities for its Azure resources. Use managed identities with Cosmos DB instead of creating service principals to access other resources. Cosmos DB can natively authenticate to the Azure services/resources that supports Azure AD authentication through a pre-defined access grant rule without using credentials hard coded in source code or configuration files.
Services that support managed identities for Azure resources
Use system-assigned managed identities to access Azure Cosmos DB data
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
IM-3: Use Azure AD single sign-on (SSO) for application access
Guidance: Cosmos DB integrates with Azure Active Directory (Azure AD) to provide identity and access management to its Azure resources. Azure Cosmos DB uses two types of keys to authorize users and does not support Single Sign-On (SSO) at the data plane level. However, access to the control plane for Cosmos DB is available via REST API and supports SSO. To authenticate, set the authorization header for your requests to a JSON Web Token that you obtain from Azure AD.
Responsibility: Shared
Microsoft Defender for Cloud monitoring: None
IM-7: Eliminate unintended credential exposure
Guidance: Cosmos DB is not intended to store code, however for any ARM templates related to your Cosmos DB deployments it is recommended to implement Credential Scanner on the repositories that store those templates to identify credentials within configurations. Credential Scanner will also encourage moving discovered credentials to more secure locations such as Azure Key Vault.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Privileged Access
For more information, see the Azure Security Benchmark: Privileged Access.
PA-1: Protect and limit highly privileged users
Guidance: The most critical built-in roles for Azure AD are the Global Administrator and the Privileged Role Administrator, as users assigned to these two roles can delegate administrator roles:
- Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD, as well as services that use Azure AD identities.
- Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units.
Note: You might have other critical roles that need to be governed if you use custom roles with certain privileged permissions assigned. You might also want to apply similar controls to the administrator account of critical business assets.
You should limit the number of highly privileged accounts or roles and protect these accounts at an elevated level. Users with this privilege can directly or indirectly read and modify every resource in your Azure environment.
You can enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD PIM. JIT grants temporary permissions to perform privileged tasks only when users need it. PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization.
Securing privileged access for hybrid and cloud deployments in Azure AD
Built-in Roles for Azure role-based access control in Azure Cosmos DB
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PA-3: Review and reconcile user access regularly
Guidance: Cosmos DB uses Azure Active Directory (Azure AD) accounts to manage its resources, review user accounts, and access assignments regularly to ensure the accounts and their access are valid. You can use Azure AD and access reviews to review group memberships, access to enterprise applications, and role assignments. Azure AD reporting can provide logs to help discover stale accounts. You can also use Azure AD Privileged Identity Management (PIM) to create access review report workflows to facilitate the review process.
In addition, Azure AD PIM can also be configured to alert you when an excessive number of administrator accounts are created, and to identify administrator accounts that are stale or improperly configured.
Note: Some Azure services support local users and roles which are not managed through Azure AD. You will need to manage these users separately.
Azure Cosmos DB provides 5 built-in roles:
- The DocumentDB Account Contributor can manage Azure Cosmos DB accounts.
- The Cosmos DB Account Reader can read Azure Cosmos DB account data.
- The Cosmos Backup Operator can submit a restore request for Azure portal for a periodic backup enabled database or a container and modify the backup interval and retention on the Azure portal.
- The CosmosRestoreOperator can perform restore action for Azure Cosmos DB account with continuous backup mode.
- The Cosmos DB Operator can provision Azure Cosmos accounts, databases, and containers.
For more information, see the following references:
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PA-6: Use privileged access workstations
Guidance: Secured, isolated workstations are critically important for the security of sensitive roles like administrator, developer, and critical service operator. Use highly secured user workstations and/or Azure Bastion for administrative tasks. Use Azure Active Directory (Azure AD), Microsoft Defender Advanced Threat Protection (ATP), and/or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. The secured workstations can be centrally managed to enforce secured configuration including strong authentication, software and hardware baselines, and restricted logical and network access.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PA-7: Follow just enough administration (least privilege principle)
Guidance: Cosmos DB is integrated with Azure role-based access control (Azure RBAC) to manage its resources. Azure RBAC allows you to manage Azure resource access through role assignments. You can assign these roles to users, groups service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, or the Azure portal. The privileges you assign to resources through the Azure RBAC should be always limited to what is required by the roles. This complements the just-in-time (JIT) approach of Azure AD Privileged Identity Management (PIM) and should be reviewed periodically.
Use built-in roles to allocate permissions and only create custom roles when required.
Azure Cosmos DB provides 5 built-in roles to help manage access to configuration and data. Give users the lowest level of access required to complete their work.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PA-8: Choose approval process for Microsoft support
Guidance: Cosmos DB doesn't support customer lockbox. Microsoft may work with customers through non-lockbox method to approval to access customer data.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Data Protection
For more information, see the Azure Security Benchmark: Data Protection.
DP-1: Discover, classify and label sensitive data
Guidance: Automatic data identification, classification, and loss prevention features are not yet available for Azure Cosmos DB. However, you can use the Azure Cognitive Search integration for classification and data analysis. You can also implement a third-party solution if required for compliance purposes.
For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
DP-2: Protect sensitive data
Guidance: Protect sensitive data by restricting access using Azure role-based access control (Azure RBAC), network-based access controls, and specific controls in Azure services (such as encryption).
To ensure consistent access control, all types of access control should be aligned with your enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems.
For the underlying platform (managed by Microsoft), Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented some default data protection controls and capabilities.
Cosmos DB also supports customer-managed keys for an additional level of encryption.
Responsibility: Shared
Microsoft Defender for Cloud monitoring: None
DP-3: Monitor for unauthorized transfer of sensitive data
Guidance: Cosmos DB supports Advanced Threat Protection. Advanced Threat Protection for Azure Cosmos DB provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit Azure Cosmos DB accounts. This layer of protection allows you to address threats, even without being a security expert, and integrate them with central security monitoring systems.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
DP-4: Encrypt sensitive information in transit
Guidance: To complement access controls, data in transit should be protected against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.
Cosmos DB supports data encryption in transit with TLS v1.2 or greater.
While this is optional for traffic on private networks, this is critical for traffic on external and public networks. For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Obsolete SSL, TLS, SSH versions and protocols, and weak ciphers should be disabled.
By default, Azure provides encryption for data in transit between Azure data centers.
All connections to Azure Cosmos DB support HTTPS. Any accounts created after July 29th, 2020 have a minimum TLS version of TLS 1.2 by default. You can request that the minimum TLS version of your accounts created before July 29th, 2020 be upgraded to TLS 1.2 by contacting azurecosmosdbtls@service.microsoft.com.
Responsibility: Shared
Microsoft Defender for Cloud monitoring: None
DP-5: Encrypt sensitive data at rest
Guidance: To complement access controls, Cosmos DB encrypts data at rest to protect against 'out of band' attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data.
Data stored in your Azure Cosmos account is automatically and seamlessly encrypted with keys managed by Microsoft (service-managed keys). Optionally, you can choose to add a second layer of encryption with keys you manage (customer-managed keys).
Responsibility: Shared
Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.
Azure Policy built-in definitions - Microsoft.DocumentDB:
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. | audit, deny, disabled | 1.0.2 |
Asset Management
For more information, see the Azure Security Benchmark: Asset Management.
AM-1: Ensure security team has visibility into risks for assets
Guidance: Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Microsoft Defender for Cloud.
Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. That said, security insights and risks must always be aggregated centrally within an organization.
Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.
Note: Additional permissions might be required to get visibility into workloads and services.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
AM-2: Ensure security team has access to asset inventory and metadata
Guidance: Apply tags to your Azure Cosmos DB instances and related resources with relevant metadata such as tracking Azure Cosmos DB instances that store or process sensitive information. Cosmos DB does not allow running an application or installing software on its resources.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
AM-3: Use only approved Azure services
Guidance: Cosmos DB supports denying its resource deployments with Azure Policy, this enables you to restrict deployments where this service is not yet approved. Use Azure Policy to audit and restrict which services users can provision in your environment according to your security needs. Use Azure Resource Graph to query for and discover resources within your subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Logging and Threat Detection
For more information, see the Azure Security Benchmark: Logging and Threat Detection.
LT-1: Enable threat detection for Azure resources
Guidance: Use the Microsoft Defender for Cloud built-in threat detection capability and enable Microsoft Defender for your Cosmos DB resources. Microsoft Defender for Cosmos DB provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your Cosmos DB resources.
Forward any logs from Cosmos DB to your SIEM, which can be used to set up custom threat detections. Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
LT-2: Enable threat detection for Azure identity and access management
Guidance: Azure Active Directory (Azure AD) provides the following user logs, which can be viewed in Azure AD reporting or integrated with Azure Monitor, Microsoft Sentinel, or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases:
- Sign-ins - The sign-ins report provides information about the usage of managed applications and user sign-in activities.
- Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD, like adding or removing users, apps, groups, roles, and policies.
- Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
- Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.
Microsoft Defender for Cloud can also trigger alerts on certain suspicious activities, such as excessive number of failed authentication attempts or deprecated accounts in the subscription. In addition to the basic security hygiene monitoring, Microsoft Defender for Cloud's Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (virtual machines, containers, app service), data resources (SQL DB and storage), and Azure service layers. This capability allows you to have visibility on account anomalies inside individual resources.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
LT-3: Enable logging for Azure network activities
Guidance: Cosmos DB does not deploy any resources directly into a virtual network. However, Cosmos DB allows you to use private endpoints to connect securely to its resources from a virtual network. Cosmos DB also does not produce or process DNS query logs which would need to be enabled.
Enable logging on your configured Cosmos DB private endpoints to capture:
Data processed by the Private Endpoint (IN/OUT)
Data processed by the Private Link service (IN/OUT)
NAT port availability
For more information, see the following references: Azure Private Link Monitoring
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
LT-4: Enable logging for Azure resources
Guidance: Activity logs, which are automatically available, contain all write operations (PUT, POST, DELETE) for your Cosmos DB resources except read operations (GET). Activity logs can be used to find an error when troubleshooting or to monitor how a user in your organization modified a resource.
Enable Azure resource logs for Cosmos DB. You can use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data collecting. These logs can be critical for investigating security incidents and performing forensic exercises.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
LT-5: Centralize security log management and analysis
Guidance: Centralize the logging, storage, and analysis of Cosmos DB logs. Ensure you are integrating Azure activity logs produced by Cosmos DB management actions into your central logging solution. Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage.
In addition, enable and onboard data to Microsoft Sentinel or a third-party SIEM.
Many organizations choose to use Microsoft Sentinel for “hot” data that is used frequently and Azure Storage for “cold” data that is used less frequently.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
LT-6: Configure log storage retention
Guidance: Ensure that any storage accounts or Log Analytics workspaces used for storing logs created by your Cosmos DB resources have the log retention period set according to your organization's compliance regulations.
In Azure Monitor, you can set your Log Analytics workspace retention period according to your organization's compliance regulations. Use Azure Storage, Data Lake or Log Analytics workspace accounts for long-term and archival storage.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Posture and Vulnerability Management
For more information, see the Azure Security Benchmark: Posture and Vulnerability Management.
PV-1: Establish secure configurations for Azure services
Guidance: You can use Azure Blueprints to automate the deployment and configuration of the Cosmos DB service including Azure Resources Manager templates, Azure RBAC controls, and policies, in a single blueprint definition.
Advanced Threat Protection for Azure Cosmos DB provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit Azure Cosmos DB accounts. This layer of protection allows you to address threats, even without being a security expert, and integrate them with central security monitoring systems.
Working with security policies in Microsoft Defender for Cloud
Illustration of Guardrails implementation in Enterprise Scale Landing Zone
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PV-2: Sustain secure configurations for Azure services
Guidance: Use Microsoft Defender for Cloud to monitor your configuration baseline and enforce these configurations using Azure Policy [deny] and [deploy if not exist] effects to maintain secure configuration across your Cosmos DB resources.
Use Azure Policy aliases in the "Microsoft.DocumentDB" namespace to create custom policies to alert, audit, and enforce system configurations. Additionally, develop a process and pipeline for managing policy exceptions.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PV-8: Conduct regular attack simulation
Guidance: As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings.
Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Backup and Recovery
For more information, see the Azure Security Benchmark: Backup and Recovery.
BR-1: Ensure regular automated backups
Guidance: Azure Cosmos DB automatically takes backups of your data at regular intervals. If database or container is deleted, you can file a support ticket or call Azure support to restore the data from automatic online backups. Azure support is available for selected plans only such as Standard, Developer, and plans higher than them. To restore a specific snapshot of the backup, Azure Cosmos DB requires that the data is available for the duration of the backup cycle for that snapshot.
If using Key Vault to store credentials for your Cosmos DB instances, ensure regular automated backups of your keys.
Responsibility: Shared
Microsoft Defender for Cloud monitoring: None
BR-2: Encrypt backup data
Guidance: All user data stored in Cosmos DB is encrypted at rest by default. There are no controls to turn it off. Azure Cosmos DB uses AES-256 encryption on all regions where the account is running.
By default, Microsoft manages the keys that are used to encrypt the data in your Azure Cosmos account. You can optionally choose to add a second layer of encryption with your own keys.
Responsibility: Microsoft
Microsoft Defender for Cloud monitoring: None
BR-3: Validate all backups including customer-managed keys
Guidance: Azure Cosmos DB automatically takes backups of your data at regular intervals. If database or container is deleted, you can file a support ticket or call Azure support to restore the data from automatic online backups. To restore a specific snapshot of the backup, Azure Cosmos DB requires that the data is available for the duration of the backup cycle for that snapshot.
If using Key Vault to store credentials for your Cosmos DB instances that are encrypted with customer-managed keys, ensure regular automated backups of your keys.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
BR-4: Mitigate risk of lost keys
Guidance: Ensure that you have measures in place to prevent and recover from the loss of keys. Enable soft delete and purge protection in Azure Key Vault to protect your encryption keys against accidental or malicious deletion.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Next steps
- See the Azure Security Benchmark V2 overview
- Learn more about Azure security baselines