https://github.com/epomatti/azure-cosmos-security
Security features for Cosmos DB
https://github.com/epomatti/azure-cosmos-security
azure azure-security cosmos cosmosdb go golang terraform
Last synced: 8 months ago
JSON representation
Security features for Cosmos DB
- Host: GitHub
- URL: https://github.com/epomatti/azure-cosmos-security
- Owner: epomatti
- License: mit
- Created: 2024-02-28T00:04:46.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2024-03-01T01:42:04.000Z (over 1 year ago)
- Last Synced: 2025-01-17T18:34:44.991Z (10 months ago)
- Topics: azure, azure-security, cosmos, cosmosdb, go, golang, terraform
- Language: HCL
- Homepage:
- Size: 168 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Azure Cosmos security
Security features for Cosmos DB.
## Setup
Set up the variables:
```sh
cp config/template.tfvars .auto.tfvars
```
Set your IP address in `cosmos_ip_range_filter`.
Create the resources:
```sh
terraform init
terraform apply -auto-approve
```
Use the Go SDK client in the `/client` directory to send data to Cosmos.
Create the `.env` file:
```sh
COSMOS_ENDPOINT="https://.documents.azure.com:443/"
```
Run the client:
```sh
go get
go run .
```
For data operations there are only two [built-in role definitions][1]:
- `Cosmos DB Built-in Data Reader`
- `Cosmos DB Built-in Data Contributor`
## Monitor
Since Diagnostics has been enabled, troubleshooting can be performed using Azure Monitor.
This query will filter for data plane requests in the `AzureDiagnostics` table. With Entra ID authentication it is possible to audit users that access data in Cosmos DB accounts.
> 💡 For this scenario, local authentication should be disabled and users would have to use Entra ID
```sql
AzureDiagnostics
| where Category == "DataPlaneRequests" and TimeGenerated > ago(1h)
| project TimeGenerated, aadPrincipalId_g, Resource, OperationName, requestResourceId_s, statusCode_s, clientIpAddress_s, authTokenType_s, keyType_s
```
## Security (other)
The database will created with CMK:
Log collection is enabled:
Network IP filtering:
---
### Destroy
When done, clean up the resources:
```sh
terraform destroy -auto-approve
```
[1]: https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#built-in-role-definitions