preparing-compliance-documentation
Guides preparation of compliance documentation for CockroachDB Cloud deployments, covering SOC 2, PCI DSS, ISO 27001, HIPAA, and GDPR certifications. Use when responding to compliance questionnaires, preparing for audits, locating certification documents, or assessing cluster configuration for compliance readiness.
90
88%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Preparing Compliance Documentation
Guides the preparation of compliance documentation for CockroachDB Cloud deployments by identifying available certifications, mapping security features to compliance controls, and providing a configuration checklist for compliance readiness. Covers SOC 2 Type II, PCI DSS, ISO 27001, HIPAA, and GDPR.
When to Use This Skill
- Responding to customer security questionnaires about CockroachDB Cloud
- Preparing for SOC 2, PCI DSS, or HIPAA compliance audits
- Locating CockroachDB Cloud certification documents (SOC 2 reports, PCI AOC, ISO certificates)
- Assessing whether a cluster's configuration meets a specific compliance framework
- Understanding which compliance features are available on each CockroachDB Cloud plan
Prerequisites
- CockroachDB Cloud account — Any plan
- Cloud Console access — For downloading compliance documents
- Understanding of your compliance requirements — Which frameworks apply to your organization
Steps
1. Identify Available Certifications
CockroachDB Cloud maintains the following certifications and attestations:
| Certification | Type | Scope | Where to Find |
|---|---|---|---|
| SOC 2 Type II | Attestation report | Cloud infrastructure and operations | Trust Center or request via support |
| PCI DSS | Certificate of Compliance (AOC) | Payment data processing | Trust Center or request via support |
| ISO 27001 | Certification | Information security management | Trust Center or request via support |
| HIPAA | BAA eligibility | Protected health information | Contact sales for BAA execution |
| GDPR | Compliance | EU personal data protection | DPA available on request |
CockroachDB Cloud Trust Center: The Trust Center is the primary location for downloading compliance documents. Access it via the Cloud Console or request documents through a support ticket.
2. Map Compliance Controls to CockroachDB Features
See compliance matrix reference for a detailed mapping of compliance controls to CockroachDB features.
SOC 2 — Key Controls
| Control Area | CockroachDB Feature | Configuration Required |
|---|---|---|
| Access Control | RBAC, SSO, SCIM | Configure roles, enable SSO |
| Encryption | TLS (always on), CMEK | Enable CMEK on Advanced plan |
| Audit Logging | SQL audit logging, log export | Enable audit logging + log export |
| Network Security | IP allowlists, private endpoints | Configure network restrictions |
| Availability | Multi-region, managed backups | Built-in on all plans |
| Change Management | Cluster versioning, Terraform | Use IaC for cluster management |
PCI DSS — Key Requirements
| Requirement | CockroachDB Feature | Notes |
|---|---|---|
| Req 1: Network Security | IP allowlists, private endpoints | Restrict access to cardholder data environment |
| Req 3: Protect Stored Data | Encryption at rest (default), CMEK | CMEK provides key control |
| Req 4: Encrypt Transmission | TLS (always on) | Enforced by default |
| Req 7: Restrict Access | RBAC, least privilege | Use hardening-user-privileges skill |
| Req 8: Identify Users | SQL users, SSO, MFA | Enable SSO with MFA at IdP |
| Req 10: Track Access | Audit logging, log export | Enable and export audit logs |
HIPAA — Key Safeguards
| Safeguard | CockroachDB Feature | Notes |
|---|---|---|
| Access Control | RBAC, SSO | Implement least privilege |
| Audit Controls | Audit logging, log export | Export to SIEM |
| Integrity | Checksums, replication | Built-in data integrity |
| Transmission Security | TLS (always on) | Enforced by default |
| Encryption | Encryption at rest, CMEK | CMEK for key control |
HIPAA requirement: A Business Associate Agreement (BAA) must be executed with Cockroach Labs before storing PHI. Contact your account team to execute a BAA.
3. Assess Cluster Configuration for Compliance
Use this checklist to evaluate whether a cluster meets common compliance requirements:
Baseline (All Frameworks)
-- Check password policy
SHOW CLUSTER SETTING server.user_login.min_password_length;
-- Should be >= 12
-- Check admin user count
SELECT COUNT(*) AS admin_count FROM [SHOW GRANTS ON ROLE admin];
-- Should be minimized (1-3)
-- Check audit logging
SHOW CLUSTER SETTING sql.log.admin_audit.enabled;
SHOW CLUSTER SETTING sql.log.user_audit;
-- Should be enabled
-- Check PUBLIC role privileges
SELECT database_name, privilege_type
FROM [SHOW GRANTS FOR public]
WHERE privilege_type NOT IN ('USAGE')
AND schema_name = 'public';
-- Should return no rows for application databases# Check network security
ccloud cluster networking allowlist list <cluster-id> -o json
# Should NOT contain 0.0.0.0/0
# Check SSO configuration (Cloud Console)
# Verify in Cloud Console > Organization Settings > Authentication
# Check CMEK (Advanced plan)
ccloud cluster info <cluster-name> -o json
# Check for cmek_config
# Check log export (Advanced plan)
# Look for log_export_config in cluster info outputAdvanced Compliance (SOC 2 + PCI DSS + HIPAA)
| Check | Command/Location | Expected State |
|---|---|---|
| SSO enabled | Cloud Console | Enabled and enforced |
| SCIM provisioning | Cloud Console | Enabled |
| CMEK enabled | ccloud cluster info | Enabled with valid key |
| Audit logging | SQL: SHOW CLUSTER SETTING sql.log.admin_audit.enabled | true |
| Log export | ccloud cluster info | Configured and ENABLED |
| IP allowlist | ccloud cluster networking allowlist list | No 0.0.0.0/0 |
| Private endpoints | Cloud Console: Networking > Private endpoint | Configured (recommended) |
| Password policy | SQL: min_password_length | >= 12 |
| Admin count | SQL: admin role grants | <= 3 |
| PUBLIC privileges | SQL: SHOW GRANTS FOR public | Minimal |
4. Respond to Security Questionnaires
When responding to customer or auditor questionnaires, reference these standard answers:
Encryption at rest:
- CockroachDB Cloud encrypts all data at rest using AES-256
- CMEK is available on Advanced plan with Advanced Security Add-on for customer-controlled keys
- Key management follows cloud provider best practices (AWS KMS, GCP Cloud KMS, Azure Key Vault)
Encryption in transit:
- TLS 1.2+ is enforced on all connections — cannot be disabled
- Client certificate authentication (mTLS) is supported
Data residency:
- Clusters can be deployed in specific regions to meet data residency requirements
- Multi-region clusters keep data within specified regions
Backup and recovery:
- Managed backups are automatic on all plans
- RPO and RTO depend on plan type and configuration
- Backups are encrypted and stored in the same cloud provider
Incident response:
- Cockroach Labs maintains a documented incident response plan
- Details are available in the SOC 2 Type II report
5. Prepare for Compliance Audits
Before the audit:
- Run the auditing-cloud-cluster-security skill to identify gaps
- Remediate any FAIL findings using the linked remediation skills
- Download current compliance documents from the Trust Center
- Document your CockroachDB Cloud configuration with screenshots or Terraform state
During the audit:
- Provide the SOC 2 Type II report to demonstrate CockroachDB Cloud's controls
- Show your cluster configuration (security audit report) to demonstrate your controls
- Demonstrate audit log export and review capability
- Show RBAC configuration and access control policies
Compliance documents to have ready:
- SOC 2 Type II report (from Trust Center)
- PCI AOC (if processing payment data)
- ISO 27001 certificate (if required)
- BAA (if storing PHI — executed with Cockroach Labs)
- DPA (if processing EU personal data)
- Your security audit report (from auditing-cloud-cluster-security skill)
Safety Considerations
- This skill is read-only. No cluster configuration is modified.
- Compliance documents may be confidential. Handle SOC 2 reports and PCI AOCs according to your organization's information classification policy.
- Compliance is shared responsibility. CockroachDB Cloud provides the platform controls; your organization is responsible for configuring and using them correctly.
References
Skill references:
Related skills:
- auditing-cloud-cluster-security — Automated security posture assessment
- configuring-audit-logging — Enable audit logging for compliance
- enabling-cmek-encryption — Enable customer-managed encryption keys
- configuring-sso-and-scim — Enable SSO and automated provisioning
- hardening-user-privileges — Implement least-privilege access
- enforcing-password-policies — Configure password requirements
- configuring-ip-allowlists — Network access control
- configuring-private-connectivity — Private network endpoints
- configuring-log-export — Export logs for compliance retention
Official CockroachDB Documentation:
- Repository
- cockroachlabs/cockroachdb-skills
- Commit
84bc1e4
- Last updated
- Created
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.