Secure Cosmos DB resources from Accidental Deletion
Azure Cosmos DB is a fully managed NoSQL and relational database for modern app development.
In this blog, we will go over options to
- Secure Cosmos DB resources
- Audit deletion
- Backup options and Restore process.
Below image shows hierarchy of resources inside Cosmos DB Account
Securing Account
- Utilize built-in/custom roles in Access control (IAM) to restrict access to certain users/operations. you can find more info on this @ Azure role-based access control in Azure Cosmos DB | Microsoft Learn
2. Restrict Access to certain private/public network using private endpoints/ IP Firewall.
3. To prevent accidental deletion of entire account you can also create a lock at Cosmos DB account level via Azure portal/PowerShell/cli.
While above option helps you with account deletion, it won’t stop in deleting internal resources(database/container) via account key.
Securing Internal Resources in Account
There are multiple ways to authenticate in Cosmos DB, I have updated image @ Restrict user access to data operations only with Azure Cosmos DB | Microsoft Learn to include RBAC along with ways to restrict key access.
If you are utilizing a key based authentication
As a Short-term solution (irrespective of API NoSQL/ Mongo),
- Utilize read-only Account keys whenever possible.
- set disableKeyBasedMetadataWriteAccess mentioned @ Azure role-based access control in Azure Cosmos DB | Microsoft Learn. this would prevent SDK’s delete internal resources(database/container) via Account Key access.
I have set this on one of my own Cosmos DB accounts and received below error while trying to delete a database using Account keys.
const { MongoClient } = require('mongodb');
// Connection URL
const url = '';
const client = new MongoClient(url);
// Database Name
const dbName = 'prdb3';
async function main() {
// Use connect method to connect to the server
await client.connect();
// delete above database
await client.db(dbName).dropDatabase();
return 'done.';
}
main()
.then(console.log)
.catch(console.error)
.finally(() => client.close());
Long-term solution (requires 1|2-day effort depending on previous usage)
SQL API:
- Set
disableLocalAuthparameter in your ARM template as mentioned @ Configure role-based access control with Azure AD — Azure Cosmos Db | Microsoft Learn. this would enforce usage of Azure AD and disables Account Key based access. - You can connect to Cosmos DB account via Azure AD, samples are available @ Migrate applications to use passwordless authentication with Azure Cosmos DB for NoSQL — Azure Cosmos DB | Microsoft Learn
Mongo API:
- Mongo API currently doesn’t provide AD integration. you could create a local user with granular controls (restricting user to certain collections/actions). More info on this can be found @ Configure role-based access control in Azure Cosmos DB for MongoDB database | Microsoft Learn. This option currently doesn’t support disabling Key based access.
Audit deletion:
Any operation performed from portal/PowerShell/cli are logged in Activity log (including deletion of internal resources database/collection)
If it's performed via SDK using keys, you can utilize diagnostic logs (requires previous setting to pipe logs into log analytics/ other telemetry system you utilize).
Here I’m utilizing log analytics and it has listed ip address that i have used to perform dropdatabase operation along with user agent.
Restore Deleted Resources:
Cosmos DB currently provides two different backup options. I would highly recommend switching over to Continuous backup for reasons listed below.
Periodic
- Snapshot based.
- Requires support request to restore.
- Restore would always be done to new account.
Continuous
- Point-in-time Restore.
- Self-serve, steps available @ Restore an Azure Cosmos DB account that uses continuous backup mode. | Microsoft Learn
- Option to restore deleted database/container in the same account.
Cosmos Db doesn’t provide any SLA for the time it takes to restore. It took around 1hr for 4TB of data (providing this number so that you could plan things accordingly).
