How To Secure Azure Cosmos DB

How To Secure Azure Cosmos DB

In this Azure tutorial, we will discuss how to secure Azure Cosmos DB. Along with this, we will also discuss the below topics.

  • Is Azure Cosmos DB encrypted?

How To Secure Azure Cosmos DB

Well, it’s quite important to secure your Azure Cosmos DB. As part of this article, we will learn different features provided by Azure Cosmos DB to secure your database and prevent your database from unwanted access.

Encryption is the key technique here. To secure your documents or backups, Encryption at rest is available and it is available in all the regions irrespective of new or existing customers.

One important point to note down here is, your data, documents, and backups, etc are safe with Encryption at rest.

The data you are storing in Azure Cosmos DB is encrypted with keys seamlessly and using the service-managed keys, Microsoft uses to manage this scenario.

You have also the provision to add a second layer of encryption with keys. You can able to manage this scenario with the help of customer-managed keys.

Azure Cosmos DB provides a list of features to save your database from any unwanted access. Let’s discuss all the key areas one by one.

  • Authorization
  • Users and permissions
  • Network security
  • Failovers
  • Global and Local replications
  • Restore deleted data
  • Backups automatically
  • Security and data protection certifications
  • Encryption at rest
  • Monitor and Respond to attack


Hash-based message authentication code or HMAC is the technique used by Azure Cosmos DB for authorization. It is one of the excellent techniques.

As part of the authorization process, the individual request is hashed using the secret account key. As part of the validation process, Azure Cosmos DB generates a hash using the secret key and the other properties. Now it actually compares the key value with the key value present along with the request. If both the key values are equal then it considers that the request is valid and then the request gets authorized successfully.

In case of any miss-match with the key value, it rejects the request immediately.

Users and permissions

You can quickly create users and permissions using the Primary key of the account. A resource token plays a vital role here. If you will analyze a little depth, with each permission, there is a resource token that is associated with that in the database and it is responsible to determine what permission the user actually has to an application.

The access could be read-only, read-write, or no access, etc.

As part of the authentication process, the resource token plays a vital role in whether to allow or deny to access the resource.

Network security

Azure Cosmos DB supports IP firewall protection to secure the database.

Azure Cosmos DB provides you with the opportunity to enable a specific IP address or a particular IP range based on your need.

When it will get the request, Azure Cosmos DB will validate if the IP is matching with the range of lists of IP, then it will allow accessing the resource. In case the IP didn’t match with the specified range or the IP is from outside the mentioned range, it will deny accessing the resource.


Azure Cosmos DB helps you to roll over automatically in case of any failovers. You have the provision to create a prioritized list of failover regions where your data is actually replicated.

Global and Local replications

In terms of Global replications, Azure Cosmos DB ensures high security for your data in case of any regional failures. It also ensures high security for your data for local replications.

Restore deleted data

If by chance, you have deleted your data wrongly, nothing to worry about, You can able to recover the data by using the automated online backups feature that is deleted up to ~30 days after the deletion.

Backups automatically

Azure Cosmos DB helps you to back up your database regularly and quickly store in a geo-redundant store securely.

Encryption at rest

Encryption of your data is the key here. The data you are storing in Azure Cosmos DB is encrypted at rest.

Monitor and Respond to attack

Azure Cosmos DB provides you with the tools like activity logs and audit logging, etc that can help you to track and monitor the activity of your account and all the operations towards your resources.

In case you will find any suspicious activity on your account, you can quickly contact Azure support and the team will help you to initiate a 5-step incident response process and you will get a quick resolution from the team.

Is Azure Cosmos DB encrypted?

Yes, Azure Cosmos DB is encrypted. It uses AES-256 encryption for all the regions.

You may also like following the below articles

Wrapping Up

Well, in this article, we have discussed how to secure Azure Cosmos DB and along with that we have also discussed a few other topics as below

  • Is Azure Cosmos DB encrypted?

Hope you have enjoyed this article !!!