Azure Cosmos security

Security features for Cosmos DB.

Setup

Set up the variables:

cp config/template.tfvars .auto.tfvars

Set your IP address in cosmos_ip_range_filter.

Create the resources:

terraform init
terraform apply -auto-approve

Use the Go SDK client in the /client directory to send data to Cosmos.

Create the .env file:

COSMOS_ENDPOINT="https://<COSMOS NAME>.documents.azure.com:443/"

Run the client:

go get
go run .

For data operations there are only two built-in role definitions:

Cosmos DB Built-in Data Reader
Cosmos DB Built-in Data Contributor

Monitor

Since Diagnostics has been enabled, troubleshooting can be performed using Azure Monitor.

This query will filter for data plane requests in the AzureDiagnostics table. With Entra ID authentication it is possible to audit users that access data in Cosmos DB accounts.

💡 For this scenario, local authentication should be disabled and users would have to use Entra ID

AzureDiagnostics
| where Category == "DataPlaneRequests" and TimeGenerated > ago(1h)
| project TimeGenerated, aadPrincipalId_g, Resource, OperationName, requestResourceId_s, statusCode_s, clientIpAddress_s, authTokenType_s, keyType_s

Security (other)

The database will created with CMK:

Log collection is enabled:

Network IP filtering:

Destroy

When done, clean up the resources:

terraform destroy -auto-approve

Name		Name	Last commit message	Last commit date
Latest commit History 24 Commits
.assets		.assets
client		client
config		config
modules		modules
.gitignore		.gitignore
.terraform.lock.hcl		.terraform.lock.hcl
LICENSE		LICENSE
README.md		README.md
backend.tf		backend.tf
cspell.json		cspell.json
main.tf		main.tf
output.tf		output.tf
provider.tf		provider.tf
variables.tf		variables.tf

License

epomatti/azure-cosmos-security

Folders and files

Latest commit

History

Repository files navigation

Azure Cosmos security

Setup

Monitor

Security (other)

Destroy

About

Topics

Resources

License

Stars

Watchers

Forks

Languages