Cosmos DB data security options

Vikas Tiwari 766 Reputation points


I need to know what are different best practices around data security in cosmos DB (Sql API). I have some fields with restrictive data but at the same time few people need access to cosmos account for troubleshooting and QA purpose.

I believe cosmos doesn't support data masking at field level. How can I hide restricted fields so that no one can see actual data even though they have access to cosmos?

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,528 questions
0 comments No comments
{count} votes

Accepted answer
  1. Oury Ba-MSFT 17,791 Reputation points Microsoft Employee

    @Vikas Tiwari Thank you for posting your query on Microsoft Q&A and for using Azure services.

    My understanding is that you are trying to hide some fields with restrictive data in your Azure Cosmos DB account.
    There is no row level security. However, we do have client-side encryption which can encrypt the values for specific properties.

    Always Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national identification numbers (for example, U.S. social security numbers), stored in Azure Cosmos DB. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the database.

    The first step to get started with Always Encrypted is to create your CMKs in Azure Key Vault:

    Create a new Azure Key Vault instance or browse to an existing one.
    Create a new key in the Keys section.
    Once the key is created, browse to its current version, and copy its full key identifier:
    https://<my-key-vault><key>/<version>. If you omit the key version at the end of the key identifier, the latest version of the key is used. You can find more details in the below article.

    Use client -side encryption with aways encrypted for Azure Cosmos DB

    Hope that helps.

    Please let me know if you have further queries.


    0 comments No comments

0 additional answers

Sort by: Most helpful