Microsoft Cosmos DB best practices

Best practice rules for CosmosDB

• Azure Cosmos DB Accounts Encrypted with Customer-Managed Keys

  Use Customer-Managed Keys (CMKs) to encrypt Azure Cosmos DB accounts.

• Check for Minimum TLS Version

  Ensure that "Minimum Transport Layer Security Protocol" is set to "TLS 1.2" for Azure Cosmos DB accounts.

• Check for MongoDB Version

  Ensure that Azure Cosmos DB for MongoDB accounts are using the latest version of MongoDB database.

• Check for Virtual Network Integration

  Ensure that Azure Cosmos DB accounts are secured with virtual networks (VNets).

• Define Firewall Rules for Azure Cosmos DB Accounts

  Ensure that Azure Cosmos DB accounts have at least one IP firewall rule defined to allow trusted access.

• Disable Key-Based Authentication for Azure Cosmos DB Accounts

  Avoid using local authentication methods such as access keys for authentication to Cosmos DB accounts.

• Enable Advanced Threat Protection

  Ensure that Advanced Threat Protection is enabled for all Microsoft Azure Cosmos DB accounts.

• Enable Automatic Failover

  Enable automatic failover for Microsoft Azure Cosmos DB accounts.

• Enable Cross-Region Replication for MongoDB Clusters

  Ensure that cross-region replication is enabled for your Azure Cosmos DB for MongoDB clusters.

• Enable Diagnostic Logs for Azure Cosmos DB Accounts

  Ensure that Diagnostic Logs are enabled for Azure Cosmos DB accounts.

• Enable Geo-Redundancy for Azure Cosmos DB Clusters

  Ensure that geo-redundancy is enabled for Microsoft Azure Cosmos DB accounts.

• Enable High Availability for PostgreSQL Clusters

  Ensure that Azure Cosmos DB for MongoDB accounts are using the latest version of MongoDB database.

• Enable Microsoft Defender for Azure Cosmos DB Accounts

  Ensure that Microsoft Defender for Azure Cosmos DB is enabled at the resource level.

• Regenerate Access Keys for Azure Cosmos DB Accounts

  Ensure that the access keys for your Azure Cosmos DB accounts are regularly rotated.

• Restrict Default Network Access for Azure Cosmos DB Accounts

  Ensure that default network access (i.e. public access) is denied within your Azure Cosmos DB account configuration.

• Use Managed Identities for Azure Cosmos DB Accounts

  Ensure that Azure Cosmos DB accounts are using managed identities.

• Use Private Endpoints for Azure Cosmos DB Accounts

  Ensure that network access to Azure Cosmos DB accounts is allowed via private endpoints only.

• Use Resource Locks for Azure Cosmos DB Accounts

  Ensure that resource locks are enabled for your production Azure Cosmos DB accounts.

• Use Role-Based Access Control for CosmosDB Data Plane Access

  Ensure that Role-Based Access Control (RBAC) is configured for Azure CosmosDB data plane access.