Ensure Cosmos DB account is encrypted with customer-managed keys

Each Cosmos account is encrypted with service-managed keys (managed by Microsoft). Using customer-managed keys adds a second layer of encryption to your account.

Risk Level: Low
Cloud Entity: Azure Cosmos DB
CloudGuard Rule ID: D9.AZU.CRY.29
Covered by Spectral: Yes
Category: Database


CosmosDbAccount should not have keyVaultKeyUri isEmpty()


Important service-managed keys feature is currently available only for new Cosmos DB accounts.

From Portal

  1. Go to 'Azure Cosmos DB' and create a new Cosmos DB account.
  2. On account creation, go to 'Encryption' tab.
  3. Select 'Customer-managed key'.
  4. Fill the 'Key URI' field with the relevant Key URI.

From TF
Set the 'key_vault_key_id' argument to your key URI on deployment:

resource "azurerm_cosmosdb_account" "db" {
	key_vault_key_id = "https://MY-VAULT.vault.azure.net/keys/MY-KEY"

Note: Adding / changing the 'key_vault_key_id' will result in new Cosmos DB account creation.


  1. https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-cmk
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#key_vault_key_id

Azure Cosmos DB

Azure Cosmos DB is a fully managed database service with turnkey global distribution and transparent multi-master replication. You can run globally distributed, low-latency operational and analytics workloads and AI on transactional data within your database.

Compliance Frameworks

  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset