CockroachDB Cloud Security Overview

This page summarizes the security features available in the two database cluster types offered by CockroachDB Cloud, serverless and dedicated.

A CockroachDB Serverless cluster is deployed for a specific customer in shared (multi-tenant) network and compute infrastrucutre.

A CockroachDB Dedicated cluster is deployed for a specific customer in a cloud provider's network and compute infrastructure dedicated to that customer. This deployment may be distributed over multiple regions for added disaster-resilience. In addition to infrastructure isolation, dedicated clusters can be customized with advanced network, identity-management, and encryption-related security features required for high benchmark security goals such as PCI DSS compliance.

Refer to Payment Card Industry Data Security Standard (PCI DSS) Compliance in CockroachDB Dedicated

The following table summarizes the CockroachDB Cloud security features and provides links to detailed documentation for each feature where applicable.

Security Domain CockroachDB Serverless CockroachDB Dedicated Feature
Authentication Inter-node and node identity authentication using TLS 1.3
Client identity authentication using a username and password
SASL/SCRAM-SHA-256 secure password-based authentication
  Cluster DB console authentication with third-party Single Sign On (SSO) using OpenID Connect OIDC or SAML
SQL Client authentication with Cluster SSO using CockroachDB Cloud as identity provider
SQL Client authentication with Cluster SSO using customer-managed identity providers
  Client identity authentication using PKI certificates
  OCSP certificate revocation protocol
Data Protection Encryption-in-flight using TLS 1.3
Automatic backups for AWS clusters are encrypted-at-rest using AWS S3’s server-side encryption
Automatic backups for GCP clusters are encrypted-at-rest using Google-managed server-side encryption keys
Industry-standard encryption-at-rest provided at the infrastructure level by your chosen deployment environment, such as Google Cloud Platform (GCP), Amazon Web Services (AWS), or Microsoft Azure.
  Customer Managed Encryption Keys (CMEK).
Access Control (Authorization) SQL users with direct privilege management
SQL Role-based access control (RBAC)
Cloud Organization users with fine-grained access roles
Network Security SQL-level configuration of allowed authentication attempts by IP address
  Private Clusters
  Network-level Configuration of allowed IP addresses
  Egress Perimeter Controls
  Private Service Connect (PSC) (Preview) for GCP clusters
  VPC Peering for GCP clusters
1 PrivateLink for AWS clusters.
Non-Repudiation SQL Audit Logging
Cloud Organization Audit Logging
Availability/Resilience CockroachDB, as a distributed SQL database, is uniquely resilient by nature. A cluster can tolerate node failures as long as the majority of nodes remain functional. See Disaster Recovery.

1: AWS PrivateLink is in preview for multi-region Serverless clusters, and is not supported for single-region Serverless clusters. Refer to Manage AWS PrivateLink.

Yes No