Governance Policies Azure Data Cosmos Db - Azure/az-prototype GitHub Wiki
Governance policies for Cosmos Db
Domain: azure-data
| Name | Description |
|---|---|
| Cosmos DB with Entra RBAC and private endpoint | Complete Cosmos DB deployment with local auth disabled, RBAC role assignment, private endpoint, and diagnostics |
| Description | Instead |
|---|---|
| Do not use account-level keys for application access | Use Microsoft Entra RBAC with managed identity and Cosmos DB Built-in Data Contributor role |
| Do not use unlimited containers without TTL policy | Set TTL on containers with transient data |
| Do not use Strong consistency unless explicitly justified | Use Session consistency for most workloads |
- Cosmos DB security baseline
- Cosmos DB RBAC
- Cosmos DB private endpoints
- WAF: Cosmos DB service guide
- Cosmos DB continuous backup
- Cosmos DB availability zones
| Check | Severity | Description |
|---|---|---|
| AZ-CDB-001 | Required | Create Cosmos DB account with Entra RBAC and local auth disabled |
| AZ-CDB-002 | Recommended | Do not use Strong consistency for POC workloads |
| AZ-CDB-003 | Recommended | Use autoscale throughput for variable workloads or serverless for POC |
| AZ-CDB-004 | Recommended | Design partition keys based on query patterns, not just cardinality |
| AZ-CDB-005 | Recommended | Enable continuous backup for point-in-time restore |
| AZ-CDB-006 | Recommended | Configure availability zone support on the Cosmos DB account |
| AZ-CDB-007 | Recommended | Enable Microsoft Defender for Cosmos DB |
| AZ-CDB-008 | Recommended | Configure multi-region replication for critical workloads |
| AZ-CDB-009 | Recommended | Implement TTL (time-to-live) on containers with transient data |
| AZ-CDB-010 | Required | Enable diagnostic settings to Log Analytics workspace |
Create Cosmos DB account with Entra RBAC and local auth disabled
Severity: Required
Rationale: Key-based auth grants full account access and cannot be scoped; Entra RBAC provides fine-grained control
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.DocumentDB/databaseAccounts
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments | Cosmos DB Built-in Data Contributor | RBAC role assignment granting Cosmos DB Built-in Data Contributor to the application identity |
| Microsoft.Network/privateEndpoints | pe-cosmos | Private endpoint for Cosmos DB — required when publicNetworkAccess is Disabled |
| Microsoft.Network/privateDnsZones | privatelink.documents.azure.com | Private DNS zone for Cosmos DB private endpoint resolution |
Do not use Strong consistency for POC workloads
Severity: Recommended
Rationale: Strong consistency has significant latency and cost implications; Session is sufficient for most POCs
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.DocumentDB/databaseAccounts
Use autoscale throughput for variable workloads or serverless for POC
Severity: Recommended
Rationale: Avoids over-provisioning while handling traffic spikes; serverless has no idle cost
Agents: cloud-architect, terraform-agent, bicep-agent, cost-analyst
- Microsoft.DocumentDB/databaseAccounts
Design partition keys based on query patterns, not just cardinality
Severity: Recommended
Rationale: Poor partition keys cause hot partitions and throttling
Agents: cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.DocumentDB/databaseAccounts
Enable continuous backup for point-in-time restore
Severity: Recommended
Rationale: WAF Reliability: Continuous backup provides point-in-time restore capability, recovering from accidental destructive operations and restoring deleted resources
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.DocumentDB/databaseAccounts
Configure availability zone support on the Cosmos DB account
Severity: Recommended
Rationale: WAF Reliability: Availability zones provide segregated power, networking, and cooling, isolating hardware failures to a subset of replicas
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.DocumentDB/databaseAccounts
Enable Microsoft Defender for Cosmos DB
Severity: Recommended
Rationale: WAF Security: Detects attempts to exploit databases, including potential SQL injections, suspicious access patterns, and other exploitation activities
Agents: cloud-architect, security-reviewer
- Microsoft.DocumentDB/databaseAccounts
Configure multi-region replication for critical workloads
Severity: Recommended
Rationale: WAF Reliability: Spanning multiple regions ensures workload resilience to regional outages with automatic failover; enable service-managed failover for single-region write accounts
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.DocumentDB/databaseAccounts
Implement TTL (time-to-live) on containers with transient data
Severity: Recommended
Rationale: WAF Cost: TTL automatically deletes unnecessary data, keeping the database clutter-free and optimizing storage costs
Agents: cloud-architect, app-developer, csharp-developer, python-developer, terraform-agent, bicep-agent
- Microsoft.DocumentDB/databaseAccounts
Enable diagnostic settings to Log Analytics workspace
Severity: Required
Rationale: Audit trail for data access and performance monitoring
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.DocumentDB/databaseAccounts
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Insights/diagnosticSettings | diag-cosmos | Diagnostic settings for Cosmos DB to Log Analytics |