preparing-compliance-documentation
Preparing Compliance Documentation
Guides the preparation of compliance documentation for CockroachDB Cloud deployments by identifying available certifications, mapping security features to compliance controls, and providing a configuration checklist for compliance readiness. Covers SOC 2 Type II, PCI DSS, ISO 27001, HIPAA, and GDPR.
When to Use This Skill
- Responding to customer security questionnaires about CockroachDB Cloud
- Preparing for SOC 2, PCI DSS, or HIPAA compliance audits
- Locating CockroachDB Cloud certification documents (SOC 2 reports, PCI AOC, ISO certificates)
- Assessing whether a cluster's configuration meets a specific compliance framework
- Understanding which compliance features are available on each CockroachDB Cloud plan
Prerequisites
- CockroachDB Cloud account — Any plan
- Cloud Console access — For downloading compliance documents
- Understanding of your compliance requirements — Which frameworks apply to your organization
Steps
1. Identify Available Certifications
CockroachDB Cloud maintains the following certifications and attestations:
| Certification | Type | Scope | Where to Find |
|---|---|---|---|
| SOC 2 Type II | Attestation report | Cloud infrastructure and operations | Trust Center or request via support |
| PCI DSS | Certificate of Compliance (AOC) | Payment data processing | Trust Center or request via support |
| ISO 27001 | Certification | Information security management | Trust Center or request via support |
| HIPAA | BAA eligibility | Protected health information | Contact sales for BAA execution |
| GDPR | Compliance | EU personal data protection | DPA available on request |
CockroachDB Cloud Trust Center: The Trust Center is the primary location for downloading compliance documents. Access it via the Cloud Console or request documents through a support ticket.
2. Map Compliance Controls to CockroachDB Features
See compliance matrix reference for a detailed mapping of compliance controls to CockroachDB features.
SOC 2 — Key Controls
| Control Area | CockroachDB Feature | Configuration Required |
|---|---|---|
| Access Control | RBAC, SSO, SCIM | Configure roles, enable SSO |
| Encryption | TLS (always on), CMEK | Enable CMEK on Advanced plan |
| Audit Logging | SQL audit logging, log export | Enable audit logging + log export |
| Network Security | IP allowlists, private endpoints | Configure network restrictions |
| Availability | Multi-region, managed backups | Built-in on all plans |
| Change Management | Cluster versioning, Terraform | Use IaC for cluster management |
PCI DSS — Key Requirements
| Requirement | CockroachDB Feature | Notes |
|---|---|---|
| Req 1: Network Security | IP allowlists, private endpoints | Restrict access to cardholder data environment |
| Req 3: Protect Stored Data | Encryption at rest (default), CMEK | CMEK provides key control |
| Req 4: Encrypt Transmission | TLS (always on) | Enforced by default |
| Req 7: Restrict Access | RBAC, least privilege | Use hardening-user-privileges skill |
| Req 8: Identify Users | SQL users, SSO, MFA | Enable SSO with MFA at IdP |
| Req 10: Track Access | Audit logging, log export | Enable and export audit logs |
HIPAA — Key Safeguards
| Safeguard | CockroachDB Feature | Notes |
|---|---|---|
| Access Control | RBAC, SSO | Implement least privilege |
| Audit Controls | Audit logging, log export | Export to SIEM |
| Integrity | Checksums, replication | Built-in data integrity |
| Transmission Security | TLS (always on) | Enforced by default |
| Encryption | Encryption at rest, CMEK | CMEK for key control |
HIPAA requirement: A Business Associate Agreement (BAA) must be executed with Cockroach Labs before storing PHI. Contact your account team to execute a BAA.
3. Assess Cluster Configuration for Compliance
Use this checklist to evaluate whether a cluster meets common compliance requirements:
Baseline (All Frameworks)
-- Check password policy
SHOW CLUSTER SETTING server.user_login.min_password_length;
-- Should be >= 12
-- Check admin user count
SELECT COUNT(*) AS admin_count FROM [SHOW GRANTS ON ROLE admin];
-- Should be minimized (1-3)
-- Check audit logging
SHOW CLUSTER SETTING sql.log.admin_audit.enabled;
SHOW CLUSTER SETTING sql.log.user_audit;
-- Should be enabled
-- Check PUBLIC role privileges
SELECT database_name, privilege_type
FROM [SHOW GRANTS FOR public]
WHERE privilege_type NOT IN ('USAGE')
AND schema_name = 'public';
-- Should return no rows for application databases
# Check network security
ccloud cluster networking allowlist list <cluster-id> -o json
# Should NOT contain 0.0.0.0/0
# Check SSO configuration (Cloud Console)
# Verify in Cloud Console > Organization Settings > Authentication
# Check CMEK (Advanced plan)
ccloud cluster info <cluster-name> -o json
# Check for cmek_config
# Check log export (Advanced plan)
# Look for log_export_config in cluster info output
Advanced Compliance (SOC 2 + PCI DSS + HIPAA)
| Check | Command/Location | Expected State |
|---|---|---|
| SSO enabled | Cloud Console | Enabled and enforced |
| SCIM provisioning | Cloud Console | Enabled |
| CMEK enabled | ccloud cluster info |
Enabled with valid key |
| Audit logging | SQL: SHOW CLUSTER SETTING sql.log.admin_audit.enabled |
true |
| Log export | ccloud cluster info |
Configured and ENABLED |
| IP allowlist | ccloud cluster networking allowlist list |
No 0.0.0.0/0 |
| Private endpoints | Cloud Console: Networking > Private endpoint | Configured (recommended) |
| Password policy | SQL: min_password_length | >= 12 |
| Admin count | SQL: admin role grants | <= 3 |
| PUBLIC privileges | SQL: SHOW GRANTS FOR public | Minimal |
4. Respond to Security Questionnaires
When responding to customer or auditor questionnaires, reference these standard answers:
Encryption at rest:
- CockroachDB Cloud encrypts all data at rest using AES-256
- CMEK is available on Advanced plan with Advanced Security Add-on for customer-controlled keys
- Key management follows cloud provider best practices (AWS KMS, GCP Cloud KMS, Azure Key Vault)
Encryption in transit:
- TLS 1.2+ is enforced on all connections — cannot be disabled
- Client certificate authentication (mTLS) is supported
Data residency:
- Clusters can be deployed in specific regions to meet data residency requirements
- Multi-region clusters keep data within specified regions
Backup and recovery:
- Managed backups are automatic on all plans
- RPO and RTO depend on plan type and configuration
- Backups are encrypted and stored in the same cloud provider
Incident response:
- Cockroach Labs maintains a documented incident response plan
- Details are available in the SOC 2 Type II report
5. Prepare for Compliance Audits
Before the audit:
- Run the auditing-cloud-cluster-security skill to identify gaps
- Remediate any FAIL findings using the linked remediation skills
- Download current compliance documents from the Trust Center
- Document your CockroachDB Cloud configuration with screenshots or Terraform state
During the audit:
- Provide the SOC 2 Type II report to demonstrate CockroachDB Cloud's controls
- Show your cluster configuration (security audit report) to demonstrate your controls
- Demonstrate audit log export and review capability
- Show RBAC configuration and access control policies
Compliance documents to have ready:
- SOC 2 Type II report (from Trust Center)
- PCI AOC (if processing payment data)
- ISO 27001 certificate (if required)
- BAA (if storing PHI — executed with Cockroach Labs)
- DPA (if processing EU personal data)
- Your security audit report (from auditing-cloud-cluster-security skill)
Safety Considerations
- This skill is read-only. No cluster configuration is modified.
- Compliance documents may be confidential. Handle SOC 2 reports and PCI AOCs according to your organization's information classification policy.
- Compliance is shared responsibility. CockroachDB Cloud provides the platform controls; your organization is responsible for configuring and using them correctly.
References
Skill references:
Related skills:
- auditing-cloud-cluster-security — Automated security posture assessment
- configuring-audit-logging — Enable audit logging for compliance
- enabling-cmek-encryption — Enable customer-managed encryption keys
- configuring-sso-and-scim — Enable SSO and automated provisioning
- hardening-user-privileges — Implement least-privilege access
- enforcing-password-policies — Configure password requirements
- configuring-ip-allowlists — Network access control
- configuring-private-connectivity — Private network endpoints
- configuring-log-export — Export logs for compliance retention
Official CockroachDB Documentation:
More from cockroachlabs/cockroachdb-skills
cockroachdb-sql
Use when writing, generating, or optimizing SQL for CockroachDB, designing CockroachDB schemas, or when the user asks about CockroachDB-specific SQL patterns, type mappings, and distributed database best practices. Also use when encountering CockroachDB anti-patterns like missing primary keys, sequential ID hotspots, or incorrect type usage.
33analyzing-range-distribution
Analyzes CockroachDB range distribution across tables and indexes using SHOW RANGES to identify range count, size patterns, leaseholder placement, and replication health. Use when investigating hotspots, uneven data distribution, range fragmentation, or validating zone configuration effects without DB Console access.
29managing-cluster-settings
Reviews, audits, and modifies CockroachDB cluster settings. Self-Hosted has full control over all settings and start flags. Advanced/BYOC can modify most SQL-level settings but infrastructure settings are managed by CRL. Standard has limited settings access — session variables are the primary tuning mechanism. Basic has minimal settings — use session variables and Cloud Console. Use when auditing configuration, tuning performance, or troubleshooting settings-related issues.
27hardening-user-privileges
Hardens CockroachDB user privileges by auditing and tightening role-based access control, reducing admin grants, restricting PUBLIC role permissions, and applying least-privilege principles. Use when reducing excessive privileges, cleaning up admin access, or implementing RBAC best practices.
27auditing-table-statistics
Audits optimizer table statistics for staleness, missing coverage, and data quality issues using SHOW STATISTICS. Use when diagnosing poor query performance, unexpected plan changes, or after bulk data changes to identify stale statistics requiring refresh via CREATE STATISTICS.
27monitoring-background-jobs
Monitors CockroachDB background job health by identifying failed, paused, and long-running jobs using SHOW JOBS and SHOW AUTOMATIC JOBS. Surfaces schema changes, backups/restores, automatic statistics collection, and SQL stats compaction jobs without DB Console access. Use when investigating schema change delays, failed backups, or automatic job issues.
26