This page summarizes the security features available in the two database cluster types offered by CockroachDB Cloud, serverless and dedicated.
A CockroachDB Serverless cluster is deployed for a specific customer in shared (multi-tenant) network and compute infrastrucutre.
A CockroachDB Dedicated cluster is deployed for a specific customer in a cloud provider's network and compute infrastructure dedicated to that customer. This deployment may be distributed over multiple regions for added disaster-resilience. In addition to infrastructure isolation, dedicated clusters can be customized with advanced network, identity-management, and encryption-related security features required for high benchmark security goals such as PCI DSS compliance.
Refer to Payment Card Industry Data Security Standard (PCI DSS) Compliance in CockroachDB Dedicated
The following table summarizes the CockroachDB Cloud security features and provides links to detailed documentation for each feature where applicable.
Security Domain | CockroachDB Serverless | CockroachDB Dedicated | Feature |
---|---|---|---|
Authentication | ✓ | ✓ | Inter-node and node identity authentication using TLS 1.3 |
✓ | ✓ | Client identity authentication using a username and password | |
✓ | ✓ | SASL/SCRAM-SHA-256 secure password-based authentication | |
✓ | Cluster DB console authentication with third-party Single Sign On (SSO) using OpenID Connect OIDC or SAML | ||
✓ | ✓ | SQL Client authentication with Cluster SSO using CockroachDB Cloud as identity provider | |
✓ | ✓ | SQL Client authentication with Cluster SSO using customer-managed identity providers | |
✓ | Client identity authentication using PKI certificates | ||
✓ | OCSP certificate revocation protocol | ||
Data Protection | ✓ | ✓ | Encryption-in-flight using TLS 1.3 |
✓ | ✓ | Automatic backups for AWS clusters are encrypted-at-rest using AWS S3’s server-side encryption | |
✓ | ✓ | Automatic backups for GCP clusters are encrypted-at-rest using Google-managed server-side encryption keys | |
✓ | ✓ | Industry-standard encryption-at-rest provided at the infrastructure level by your chosen deployment environment, such as Google Cloud Platform (GCP), Amazon Web Services (AWS), or Microsoft Azure. | |
✓ | Customer Managed Encryption Keys (CMEK). | ||
Access Control (Authorization) | ✓ | ✓ | SQL users with direct privilege management |
✓ | ✓ | SQL Role-based access control (RBAC) | |
✓ | ✓ | Cloud Organization users with fine-grained access roles | |
Network Security | ✓ | ✓ | SQL-level configuration of allowed authentication attempts by IP address |
✓ | Private Clusters | ||
✓ | Network-level Configuration of allowed IP addresses | ||
✓ | Egress Perimeter Controls | ||
✓ | Private Service Connect (PSC) (Preview) for GCP clusters | ||
✓ | VPC Peering for GCP clusters | ||
✓1 | ✓ | PrivateLink for AWS clusters. | |
Non-Repudiation | ✓ | ✓ | SQL Audit Logging |
✓ | ✓ | Cloud Organization Audit Logging | |
Availability/Resilience | ✓ | ✓ | CockroachDB, as a distributed SQL database, is uniquely resilient by nature. A cluster can tolerate node failures as long as the majority of nodes remain functional. See Disaster Recovery. |
1: AWS PrivateLink is in preview for multi-region Serverless clusters, and is not supported for single-region Serverless clusters. Refer to Manage AWS PrivateLink.