Security controls for Azure Cosmos DB

This article documents the security controls built into Azure Cosmos DB.

A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities.

For each control, we use "Yes" or "No" to indicate whether it is currently in place for the service, "N/A" for a control that is not applicable to the service. We might also provide a note or links to more information about an attribute.

Network

Security control Yes/no Notes
Service endpoint support Yes
VNet injection support Yes With VNet service endpoint, you can configure an Azure Cosmos DB account to allow access only from a specific subnet of a virtual network (VNet). You can also combine VNet access with firewall rules. To learn more, see Access Azure Cosmos DB from virtual networks.
Network Isolation and Firewall support Yes With firewall support, you can configure your Azure Cosmos account to allow access only from an approved set of IP addresses, a range of IP addresses and/or cloud services. To learn more, see Configure IP firewall in Azure Cosmos DB.
Forced tunneling support Yes Can be configured at the client side on the VNet where the virtual machines are located.

Monitoring & logging

Security control Yes/no Notes
Azure monitoring support (Log analytics, App insights, etc.) Yes All requests that are sent to Azure Cosmos DB are logged. Azure Monitoring, Azure Metrics, Azure Audit Logging are supported. You can log information corresponding to data plane requests, query runtime statistics, query text, MongoDB requests. You can also set up alerts.
Control and management plane logging and audit Yes Azure Activity log for account level operations such as Firewalls, VNets, Keys access, and IAM.
Data plane logging and audit Yes Diagnostics monitoring logging for container level operations such as create container, provision throughput, indexing policies, and CRUD operations on documents.

Identity

Security control Yes/no Notes
Authentication Yes Yes at the Database Account Level; at the data plane level, Cosmos DB uses resource tokens and key access.
Authorization Yes Supported at the Azure Cosmos account with Master keys (primary and secondary) and Resource tokens. You can get read/write or read only access to data with master keys. Resource tokens allow limited time access to resources such as documents and containers.

Data protection

Security control Yes/no Notes
Server-side encryption at rest: Microsoft-managed keys Yes All Azure Cosmos databases and backups are encrypted by default; see Data encryption in Azure Cosmos DB.
Server-side encryption at rest: customer-managed keys (BYOK) Yes See Configure customer-managed keys for your Azure Cosmos DB account
Column level encryption (Azure Data Services) Yes Only in the Tables API Premium. Not all APIs support this feature. See Introduction to Azure Cosmos DB: Table API.
Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption ) Yes All Azure Cosmos DB data is encrypted at transit.
API calls encrypted Yes All connections to Azure Cosmos DB support HTTPS. Azure Cosmos DB also supports TLS 1.2.
It is possible to enforce a minimum TLS version server-side. To do so, please contact azurecosmosdbtls@service.microsoft.com.

Configuration management

Security control Yes/No Notes
Configuration management support (versioning of configuration, etc.) No

Additional security controls for Cosmos DB

Security control Yes/no Notes
Cross Origin Resource Sharing (CORS) Yes See Configure Cross-Origin Resource Sharing (CORS).

Next steps