> ## Documentation Index
> Fetch the complete documentation index at: https://cockroachlabs.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# CockroachDB Cloud Security Overview

export const InternalLink = ({version, path = "", children, ...props}) => {
  let detectedVersion = version || "stable";
  if (typeof window !== 'undefined' && !version) {
    const match = window.location.pathname.match(/\/docs\/([^/]+)/);
    if (match) {
      detectedVersion = match[1];
    }
  }
  const normalizedPath = path.startsWith("/") ? path.slice(1) : path;
  return <a href={`/docs/${detectedVersion}/${normalizedPath}`} {...props}>
      {children}
    </a>;
};

This page summarizes the security features available in CockroachDB Cloud:

* CockroachDB Standard: Deployed in shared (multi-tenant) network and compute infrastructure. Storage scales automatically according to demand, but the cluster's compute requirements are defined explicitly as part of the cluster's configuration.
* CockroachDB Basic: Deployed in shared (multi-tenant) network and compute infrastructure. Storage and compute scale automatically according to demand, and you are charged only for the storage and activity of your cluster.
* CockroachDB Advanced: Deployed in dedicated network and compute infrastructure. This deployment may be distributed over multiple regions for added disaster-resilience. In addition to infrastructure isolation, Advanced clusters can be customized with advanced network, identity-management, and encryption-related security features required for high benchmark security goals such as <InternalLink path="pci-dss">PCI DSS compliance</InternalLink>. Refer to <InternalLink path="pci-dss">Payment Card Industry Data Security Standard (PCI DSS) Compliance in CockroachDB Advanced</InternalLink>

The following table summarizes the CockroachDB Cloud security features and provides links to detailed documentation for each feature where applicable.

| Security Domain                                                                                          | CockroachDB Basic | CockroachDB Standard | CockroachDB Advanced                                                                                                                                                                                                                                                         | Feature                                                                                                                                                                                                                                                                       |
| -------------------------------------------------------------------------------------------------------- | ----------------- | -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| <InternalLink path="authentication">Authentication</InternalLink>                                        | ✓                 | ✓                    | ✓                                                                                                                                                                                                                                                                            | Inter-node and node identity authentication using TLS 1.3                                                                                                                                                                                                                     |
| ✓                                                                                                        | ✓                 | ✓                    | Client identity authentication using a username and password                                                                                                                                                                                                                 |                                                                                                                                                                                                                                                                               |
| ✓                                                                                                        | ✓                 | ✓                    | <InternalLink version="stable" path="security-reference/scram-authentication">SASL/SCRAM-SHA-256 secure password-based authentication</InternalLink>                                                                                                                         |                                                                                                                                                                                                                                                                               |
|                                                                                                          |                   | ✓                    | Cluster DB console authentication with third-party <InternalLink version="stable" path="sso-db-console">Single Sign On (SSO)</InternalLink> using [OpenID Connect OIDC](https://openid.net/connect) or [SAML](https://wikipedia.org/wiki/Security_Assertion_Markup_Language) |                                                                                                                                                                                                                                                                               |
| ✓                                                                                                        | ✓                 | ✓                    | SQL Client authentication with <InternalLink path="cloud-sso-sql">Cluster SSO</InternalLink> using CockroachDB Cloud as identity provider                                                                                                                                    |                                                                                                                                                                                                                                                                               |
| ✓                                                                                                        | ✓                 | ✓                    | SQL Client authentication with <InternalLink version="stable" path="sso-sql">Cluster SSO</InternalLink> using customer-managed identity providers                                                                                                                            |                                                                                                                                                                                                                                                                               |
|                                                                                                          |                   | ✓                    | Client identity authentication using <InternalLink path="client-certs-advanced">PKI certificates</InternalLink>                                                                                                                                                              |                                                                                                                                                                                                                                                                               |
|                                                                                                          |                   | ✓                    | <InternalLink version="stable" path="manage-certs-revoke-ocsp">OCSP</InternalLink> certificate revocation protocol                                                                                                                                                           |                                                                                                                                                                                                                                                                               |
| Data Protection                                                                                          | ✓                 | ✓                    | ✓                                                                                                                                                                                                                                                                            | Encryption-in-flight using TLS 1.3                                                                                                                                                                                                                                            |
| ✓                                                                                                        | ✓                 | ✓                    | Automatic backups for AWS clusters are encrypted-at-rest using [AWS S3’s server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption)                                                                                                  |                                                                                                                                                                                                                                                                               |
| ✓                                                                                                        | ✓                 | ✓                    | Automatic backups for GCP clusters are encrypted-at-rest using [Google-managed server-side encryption keys](https://cloud.google.com/storage/docs/encryption/default-keys)                                                                                                   |                                                                                                                                                                                                                                                                               |
| ✓                                                                                                        | ✓                 | ✓                    | Industry-standard encryption-at-rest provided at the infrastructure level by your chosen deployment environment, such as Google Cloud Platform (GCP), Amazon Web Services (AWS), or Microsoft Azure.                                                                         |                                                                                                                                                                                                                                                                               |
|                                                                                                          |                   | ✓                    | <InternalLink path="cmek">Customer Managed Encryption Keys (CMEK)</InternalLink>, with <InternalLink path="create-an-advanced-cluster#step-6-configure-advanced-security-features">Advanced security features</InternalLink> enabled.                                        |                                                                                                                                                                                                                                                                               |
| <InternalLink path="authorization">Access Control (Authorization)</InternalLink>                         | ✓                 | ✓                    | ✓                                                                                                                                                                                                                                                                            | SQL users with direct privilege management                                                                                                                                                                                                                                    |
| ✓                                                                                                        | ✓                 | ✓                    | SQL Role-based access control (RBAC)                                                                                                                                                                                                                                         |                                                                                                                                                                                                                                                                               |
| ✓                                                                                                        | ✓                 | ✓                    | Cloud Organization users with fine-grained access roles                                                                                                                                                                                                                      |                                                                                                                                                                                                                                                                               |
| Network Security                                                                                         | ✓                 | ✓                    | ✓                                                                                                                                                                                                                                                                            | <InternalLink path="authentication">SQL-level configuration of allowed authentication attempts by IP address</InternalLink>                                                                                                                                                   |
|                                                                                                          |                   | ✓                    | <InternalLink path="private-clusters">Private Clusters</InternalLink>                                                                                                                                                                                                        |                                                                                                                                                                                                                                                                               |
| ✓                                                                                                        | ✓                 | ✓                    | Network-level Configuration of allowed IP addresses                                                                                                                                                                                                                          |                                                                                                                                                                                                                                                                               |
|                                                                                                          |                   | ✓                    | Egress Perimeter Controls                                                                                                                                                                                                                                                    |                                                                                                                                                                                                                                                                               |
|                                                                                                          | ✓                 | ✓                    | <InternalLink path="network-authorization">Private Service Connect (PSC) for GCP clusters</InternalLink>                                                                                                                                                                     |                                                                                                                                                                                                                                                                               |
|                                                                                                          |                   | ✓                    | <InternalLink path="network-authorization">VPC Peering</InternalLink> for GCP clusters                                                                                                                                                                                       |                                                                                                                                                                                                                                                                               |
|                                                                                                          | ✓                 | ✓                    | PrivateLink for AWS clusters.                                                                                                                                                                                                                                                |                                                                                                                                                                                                                                                                               |
|                                                                                                          |                   | ✓                    | <InternalLink path="egress-private-endpoints">Egress private endpoints</InternalLink>                                                                                                                                                                                        |                                                                                                                                                                                                                                                                               |
| [Non-Repudiation](https://wikipedia.org/wiki/Non-repudiation)                                            | ✓                 | ✓                    | ✓                                                                                                                                                                                                                                                                            | <InternalLink path="sql-audit-logging">SQL Audit Logging</InternalLink>                                                                                                                                                                                                       |
| ✓                                                                                                        | ✓                 | ✓                    | <InternalLink path="cloud-org-audit-logs">Cloud Organization Audit Logging</InternalLink>                                                                                                                                                                                    |                                                                                                                                                                                                                                                                               |
| <InternalLink version="stable" path="demo-cockroachdb-resilience">Availability/Resilience</InternalLink> | ✓                 | ✓                    | ✓                                                                                                                                                                                                                                                                            | CockroachDB, as a distributed SQL database, is uniquely resilient by nature. A cluster can tolerate node failures as long as the majority of nodes remain functional. See <InternalLink version="stable" path="demo-cockroachdb-resilience">Disaster Recovery.</InternalLink> |
