Platform: AZURE
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | True | Primary and secondary keys are provided for accessing the Cosmos DB account. These keys can be regenerated. | Account keys should be managed securely. |
| Authentication & Authorization | IAM Integration | True | Azure RBAC can be used to manage Cosmos DB accounts. Fine-grained access control within the database can be managed with resource tokens. | |
| Authentication & Authorization | MFA | True | MFA can be enforced for users managing the Cosmos DB account. | Applies to administrative access. |
| Authentication & Authorization | Service Account Support | True | Managed identities and service principals can be used to access Cosmos DB. | |
| Authentication & Authorization | Standard Protocols | True | Cosmos DB uses standard authentication protocols. | |
| Compliance & Certifications | Compliance Documentation | True | Compliance documentation is available through the Azure Trust Center. | |
| Compliance & Certifications | Industry Certifications | True | Azure holds numerous industry certifications. | |
| Data Loss Prevention (DLP) | Data Masking/Redaction | False | Data masking would need to be implemented at the application level. | Not a direct feature. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | False | DLP would need to be implemented at the application level. | Not a direct feature. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | Data is only replicated to the regions specified by the customer. | Customer controls which regions to replicate to. |
| Data Residency & Sovereignty | Data Location Transparency | True | The locations of the data replicas are visible in the Azure Portal. | |
| Data Residency & Sovereignty | Region Selection | True | Customers can select the Azure regions where their data will be replicated. | |
| Encryption | Encryption at Rest | True | Data at rest is encrypted by default. Customer-managed keys are also supported. | |
| Encryption | Encryption in Transit | True | All connections to Azure Cosmos DB are encrypted using TLS. | |
| Logging & Monitoring | Access Logging | True | Diagnostic logs capture information about requests to the database. | Requires enabling diagnostic logs. |
| Logging & Monitoring | Audit Logging | True | Diagnostic logs can be configured to capture control plane and data plane operations. | Requires enabling diagnostic logs. |
| Logging & Monitoring | Log Retention | True | Log retention can be configured in Log Analytics. | |
| Logging & Monitoring | Monitoring & Alerting | True | Azure Monitor provides metrics and alerting for Cosmos DB. | |
| Network Security | API Gateway Integration | True | Azure API Management can be used to expose a REST API on top of Cosmos DB. | Indirectly. |
| Network Security | DDoS Protection | True | Azure provides DDoS protection for the underlying infrastructure. | Inherited from the Azure platform. |
| Network Security | Firewall Rules | True | IP firewall rules can be configured to restrict access to the Cosmos DB account. | |
| Network Security | Private Access | True | Private endpoints can be used to connect to Cosmos DB from within a VNet. | |
| Secure Development Lifecycle (SDL) | API Design Principles | True | The Azure REST API follows Microsoft's SDL. | Applies to the Azure management API. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | Microsoft performs security testing and code reviews of the Azure platform. | Applies to the Azure platform. |
| Vulnerability Management & Patching | Security Updates | True | Microsoft is responsible for patching the Cosmos DB service. | Microsoft manages the service. |
| Vulnerability Management & Patching | Vulnerability Scanning | True | Microsoft performs vulnerability scanning of the Azure platform. | Microsoft manages the service. |