We're proud to announce that the Center for Internet Security (CIS) has published the CIS CockroachDB v25.x Benchmark, a comprehensive, consensus-driven security configuration guide for self-hosted CockroachDB deployments.
This is a meaningful milestone for CockroachDB and for the organizations that run it in production. It means that for the first time, security teams, auditors, and platform engineers have an authoritative, independently recognized baseline they can point to when asking: "Are we running CockroachDB securely?"
Beyond improving security, a CIS Benchmark helps organizations standardize database security best practices across environments, which reduces the time spent preparing for audits, responding to security reviews, and validating production configurations. Instead of creating internal hardening guidance from scratch, platform teams can align on a recognized standard, making it easier to scale secure operations.
What are CIS benchmarks and why do they matter?
The Center for Internet Security (CIS) is a community of global cybersecurity experts whose benchmarks provide globally recognized and consensus-driven best practices, guiding security practitioners in effectively configuring, implementing, and managing their cybersecurity defenses.
CIS Benchmarks are used by security teams, auditors, and compliance frameworks worldwide as the de facto standard for secure system configuration. They're referenced in government procurement requirements, enterprise vendor assessments, and regulatory frameworks including FedRAMP, PCI DSS, and HIPAA. Having a CIS Benchmark for CockroachDB means our customers now have a formal, recognized security baseline they can use in audits, in vendor reviews, and in internal compliance programs.
How the CIS CockroachDB Benchmark was developed 
This benchmark didn't come from a single team working in isolation. It was built through CIS's consensus review process, a structured collaboration that drew on real-world operational experience, security research, and compliance expertise from across the industry.
The Cockroach Labs security team worked directly with CIS and a group of external contributors spanning consulting, software development, audit and compliance, security research, and government backgrounds to develop, test, and validate each recommendation. Every control in the benchmark reflects that collaborative process – not just what we think is secure, but what a cross-functional community of practitioners agreed upon.
Special recognition goes to the Cockroach Labs contributors who invested significant time in this effort: Adam Brennick, Ayog Mohanty, Matt Spilchen, Manu Gomez, Kevin Forbes, Emil Andreas Siemes, Biplav Saraf, Alexander Truong; along with Phil White from the Center for Internet Security.
What does the CIS CockroachDB Benchmark cover?
Together, these recommendations provide a practical framework for database hardening rather than a collection of isolated security settings. They address common operational risks, from misconfiguration and unauthorized access to incomplete monitoring and recovery planning, while helping organizations build a more consistent foundation for secure production deployments.
The CIS CockroachDB v25.x Benchmark (v1.0.0) covers six major security domains, with 30 recommendations, all currently classified as Level 1 (practical, prudent, and not disruptive to normal operations):
1. Installation and patches
Getting the basics right matters more than most teams realize. The benchmark establishes controls for verifying binary integrity via SHA-256 checksums, running CockroachDB as a managed systemd service, initializing clusters with full TLS mutual authentication, and absolutely prohibiting the --insecure flag in production. It also covers version consistency across nodes and defines a formal process for zero-downtime rolling upgrades. Encryption at rest key management via an external KMS rounds out this section.
2. System hardening and topology
CockroachDB's distributed architecture makes OS-level hygiene especially important. This section covers NTP clock synchronization (critical for Raft consensus and transaction ordering), running each node as a dedicated process on a separate host, least-privilege service accounts, network segmentation and firewall rules for CockroachDB's ports, disabling Linux memory swap, configuring Transparent Huge Pages, and setting appropriate file descriptor limits.
3. Logging and Monitoring
You can't protect what you can't see. The benchmark defines requirements for enabling and securely storing CockroachDB logs, configuring log rotation and retention, enabling connection and authentication logging via the SESSIONS channel, and implementing external monitoring and alerting with Prometheus/Grafana and Alertmanager.
4. User access and authorization
This section addresses CockroachDB's host-based authentication (HBA) configuration, enforcing SCRAM-SHA-256 for password credentials, securing the root user to certificate-only access from approved jump hosts, and centralizing user lifecycle management. The core message: Default HBA configurations are not hardened – this benchmark tells you exactly what to change and why.
5. Data protection
Backups are only as good as their encryption and recoverability. The benchmark covers encrypting backups using KMS-based or passphrase-based methods (noting that Encryption-at-Rest does not protect backup files), periodically testing restore procedures in non-production environments, and – for multi-region deployments – configuring data localization via REGIONAL BY ROW and zone constraints to meet data residency and sovereignty requirements.
6. CockroachDB settings
The final section closes gaps at the configuration layer: certificate file permissions (private keys must be 0600), redacting sensitive cluster settings and debug bundles, enabling security audit logging across the SESSIONS, USER_ADMIN, PRIVILEGES, and SENSITIVE_ACCESS channels, per-role SQL session idle timeouts, and OCSP certificate revocation checking.
Who should use the CIS CockroachDB Benchmark? 
If you run CockroachDB self-hosted-on-premises, in a private cloud, or on VMs in AWS, GCP, or Azure, this benchmark is for you. It's particularly relevant if your organization:
Operates in a regulated industry (financial services, healthcare, government, retail)
Is subject to compliance frameworks like PCI DSS, HIPAA, FedRAMP, or GDPR
Conducts third-party security assessments or vendor risk reviews
Has a security team that needs a formal baseline for database hardening
Many organizations outside regulated industries also adopt CIS Benchmarks to improve operational consistency across environments, simplify onboarding for new teams, and reduce configuration drift over time. A shared security baseline makes it easier for platform, infrastructure, and security teams to work from the same expectations.
Even if you're not in a regulated space, the benchmark is a practical checklist for anyone who wants to be confident they haven't left obvious configuration gaps open.
Related:
O'Reilly | CockroachDB: The Definitive Guide (2nd Edition) – Go deeper on security, backup and disaster recovery, monitoring, and multi-region deployment planning in this comprehensive guide.
How to use the CIS CockroachDB Benchmark 
The benchmark is available as a free PDF download from the CIS website at benchmarks.cisecurity.org. Each recommendation includes:
A clear description of the control and the rationale behind it
Step-by-step audit procedures to check your current state
Remediation procedures with specific commands and configuration examples
Mappings to CIS Controls v7 and v8 Implementation Groups
Start by reading through the Appendix Summary Table. This gives you a one-page view of all 25 controls and a quick yes/no checklist you can use to assess where you stand today.
We've also published an open-source auditing-cis-benchmark skill in the cockroachdb-skills repository that automates the assessment of self-hosted CockroachDB clusters against all 30 CIS Level 1 controls, supporting both quick scans and full audit procedures.
What's next for the CIS CockroachDB Benchmark? 
This is version 1.0 of the benchmark, covering CockroachDB v25.x. CIS Benchmarks evolve through ongoing community feedback. If you have suggestions, corrections, or want to contribute to future versions, you can participate through the CIS Workbench at workbench.cisecurity.org.
We're also continuing to invest in making secure-by-default configuration easier within the product itself. The benchmark reflects where the bar is today, and we’re here to make reaching that bar as frictionless as possible.
As more organizations adopt the benchmark, it can also provide a common language for conversations between engineering, security, compliance, and auditors. That shared foundation helps reduce friction during security reviews, while making secure deployment practices easier to repeat across teams and environments.
Download the CIS CockroachDB Benchmark: https://www.cisecurity.org/cis-benchmarks
Ayog Mohanty is Senior Compliance Analyst in the GRC team at Cockroach Labs, where he helps the company earn and keep the trust of its customers through rigorous security and compliance programs. His career in GRC spans from risk and compliance at Locus and Infosys to maturing compliance at scale at Cockroach Labs, giving him a practitioner's understanding of what it takes to build trust programs that keep pace with the product.
Adam Brennick is the Director of Security and GRC at Cockroach Labs, where he leads the security engineering and GRC teams responsible for building and scaling the company's security program. His background spans security and compliance across multiple industries, and he brings a practitioner's perspective to the challenge of making programs that are both rigorous and operational, built to hold up under real-world scrutiny, not just audits.







