Skill

preparing-compliance-documentation

Guides preparation of compliance documentation for CockroachDB Cloud deployments, covering SOC 2, PCI DSS, ISO 27001, HIPAA, and GDPR certifications. Use when responding to compliance questionnaires, preparing for audits, locating certification documents, or assessing cluster configuration for compliance readiness.

npx claudepluginhub cockroachdb/claude-plugin --plugin cockroachdb

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Guides the preparation of compliance documentation for CockroachDB Cloud deployments by identifying available certifications, mapping security features to compliance controls, and providing a configuration checklist for compliance readiness. Covers SOC 2 Type II, PCI DSS, ISO 27001, HIPAA, and GDPR.

Supporting Assets

references/compliance-matrix.md

SKILL.md

Similar Skills

aws-compliance-checker

36.5k

Runs AWS CLI checks against CIS AWS Foundations, PCI-DSS, HIPAA, and SOC 2 benchmarks for IAM, logging, networking, and more. Use for audits and compliance monitoring.

antigravity-awesome-skills

database-admin

682

Administers cloud databases on AWS (RDS, Aurora, DynamoDB), Azure (SQL, Cosmos), GCP (Cloud SQL, Spanner); automates IaC with Terraform/CloudFormation; optimizes HA/DR, performance, compliance, multi-cloud.

rmyndharis-antigravity-skills

ccm-expert

Provides deep expertise in CSA Cloud Controls Matrix (CCM v4.0): 197 controls across 17 domains, CAIQ questionnaire, cloud service models, shared responsibility, mappings to ISO 27001, SOC 2, PCI-DSS, NIST. For cloud security audits and compliance.

4 tools

csa-ccm

Stats

Stars3

Forks2

Last CommitApr 9, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Preparing Compliance Documentation

When to Use This Skill

Responding to customer security questionnaires about CockroachDB Cloud
Preparing for SOC 2, PCI DSS, or HIPAA compliance audits
Locating CockroachDB Cloud certification documents (SOC 2 reports, PCI AOC, ISO certificates)
Assessing whether a cluster's configuration meets a specific compliance framework
Understanding which compliance features are available on each CockroachDB Cloud plan

Prerequisites

CockroachDB Cloud account — Any plan
Cloud Console access — For downloading compliance documents
Understanding of your compliance requirements — Which frameworks apply to your organization

Steps

1. Identify Available Certifications

CockroachDB Cloud maintains the following certifications and attestations:

Certification	Type	Scope	Where to Find
SOC 2 Type II	Attestation report	Cloud infrastructure and operations	Trust Center or request via support
PCI DSS	Certificate of Compliance (AOC)	Payment data processing	Trust Center or request via support
ISO 27001	Certification	Information security management	Trust Center or request via support
HIPAA	BAA eligibility	Protected health information	Contact sales for BAA execution
GDPR	Compliance	EU personal data protection	DPA available on request

CockroachDB Cloud Trust Center: The Trust Center is the primary location for downloading compliance documents. Access it via the Cloud Console or request documents through a support ticket.

2. Map Compliance Controls to CockroachDB Features

See compliance matrix reference for a detailed mapping of compliance controls to CockroachDB features.

SOC 2 — Key Controls

Control Area	CockroachDB Feature	Configuration Required
Access Control	RBAC, SSO, SCIM	Configure roles, enable SSO
Encryption	TLS (always on), CMEK	Enable CMEK on Advanced plan
Audit Logging	SQL audit logging, log export	Enable audit logging + log export
Network Security	IP allowlists, private endpoints	Configure network restrictions
Availability	Multi-region, managed backups	Built-in on all plans
Change Management	Cluster versioning, Terraform	Use IaC for cluster management

PCI DSS — Key Requirements

Requirement	CockroachDB Feature	Notes
Req 1: Network Security	IP allowlists, private endpoints	Restrict access to cardholder data environment
Req 3: Protect Stored Data	Encryption at rest (default), CMEK	CMEK provides key control
Req 4: Encrypt Transmission	TLS (always on)	Enforced by default
Req 7: Restrict Access	RBAC, least privilege	Use hardening-user-privileges skill
Req 8: Identify Users	SQL users, SSO, MFA	Enable SSO with MFA at IdP
Req 10: Track Access	Audit logging, log export	Enable and export audit logs

HIPAA — Key Safeguards

Safeguard	CockroachDB Feature	Notes
Access Control	RBAC, SSO	Implement least privilege
Audit Controls	Audit logging, log export	Export to SIEM
Integrity	Checksums, replication	Built-in data integrity
Transmission Security	TLS (always on)	Enforced by default
Encryption	Encryption at rest, CMEK	CMEK for key control

HIPAA requirement: A Business Associate Agreement (BAA) must be executed with Cockroach Labs before storing PHI. Contact your account team to execute a BAA.

3. Assess Cluster Configuration for Compliance

Use this checklist to evaluate whether a cluster meets common compliance requirements:

Baseline (All Frameworks)

-- Check password policy
SHOW CLUSTER SETTING server.user_login.min_password_length;
-- Should be >= 12

-- Check admin user count
SELECT COUNT(*) AS admin_count FROM [SHOW GRANTS ON ROLE admin];
-- Should be minimized (1-3)

-- Check audit logging
SHOW CLUSTER SETTING sql.log.admin_audit.enabled;
SHOW CLUSTER SETTING sql.log.user_audit;
-- Should be enabled

-- Check PUBLIC role privileges
SELECT database_name, privilege_type
FROM [SHOW GRANTS FOR public]
WHERE privilege_type NOT IN ('USAGE')
  AND schema_name = 'public';
-- Should return no rows for application databases

# Check network security
ccloud cluster networking allowlist list <cluster-id> -o json
# Should NOT contain 0.0.0.0/0

# Check SSO configuration (Cloud Console)
# Verify in Cloud Console > Organization Settings > Authentication

# Check CMEK (Advanced plan)
ccloud cluster info <cluster-name> -o json
# Check for cmek_config

# Check log export (Advanced plan)
# Look for log_export_config in cluster info output

Advanced Compliance (SOC 2 + PCI DSS + HIPAA)

Check	Command/Location	Expected State
SSO enabled	Cloud Console	Enabled and enforced
SCIM provisioning	Cloud Console	Enabled
CMEK enabled	`ccloud cluster info`	Enabled with valid key
Audit logging	SQL: `SHOW CLUSTER SETTING sql.log.admin_audit.enabled`	`true`
Log export	`ccloud cluster info`	Configured and ENABLED
IP allowlist	`ccloud cluster networking allowlist list`	No 0.0.0.0/0
Private endpoints	Cloud Console: Networking > Private endpoint	Configured (recommended)
Password policy	SQL: min_password_length	>= 12
Admin count	SQL: admin role grants	<= 3
PUBLIC privileges	SQL: SHOW GRANTS FOR public	Minimal

4. Respond to Security Questionnaires

When responding to customer or auditor questionnaires, reference these standard answers:

Encryption at rest:

CockroachDB Cloud encrypts all data at rest using AES-256
CMEK is available on Advanced plan with Advanced Security Add-on for customer-controlled keys
Key management follows cloud provider best practices (AWS KMS, GCP Cloud KMS, Azure Key Vault)

Encryption in transit:

TLS 1.2+ is enforced on all connections — cannot be disabled
Client certificate authentication (mTLS) is supported

Data residency:

Clusters can be deployed in specific regions to meet data residency requirements
Multi-region clusters keep data within specified regions

Backup and recovery:

Managed backups are automatic on all plans
RPO and RTO depend on plan type and configuration
Backups are encrypted and stored in the same cloud provider

Incident response:

Cockroach Labs maintains a documented incident response plan
Details are available in the SOC 2 Type II report

5. Prepare for Compliance Audits

Before the audit:

Run the auditing-cloud-cluster-security skill to identify gaps
Remediate any FAIL findings using the linked remediation skills
Download current compliance documents from the Trust Center
Document your CockroachDB Cloud configuration with screenshots or Terraform state

During the audit:

Provide the SOC 2 Type II report to demonstrate CockroachDB Cloud's controls
Show your cluster configuration (security audit report) to demonstrate your controls
Demonstrate audit log export and review capability
Show RBAC configuration and access control policies

Compliance documents to have ready:

SOC 2 Type II report (from Trust Center)
PCI AOC (if processing payment data)
ISO 27001 certificate (if required)
BAA (if storing PHI — executed with Cockroach Labs)
DPA (if processing EU personal data)
Your security audit report (from auditing-cloud-cluster-security skill)

Safety Considerations

This skill is read-only. No cluster configuration is modified.
Compliance documents may be confidential. Handle SOC 2 reports and PCI AOCs according to your organization's information classification policy.
Compliance is shared responsibility. CockroachDB Cloud provides the platform controls; your organization is responsible for configuring and using them correctly.

References

Skill references:

Compliance control matrix

Related skills:

auditing-cloud-cluster-security — Automated security posture assessment
configuring-audit-logging — Enable audit logging for compliance
enabling-cmek-encryption — Enable customer-managed encryption keys
configuring-sso-and-scim — Enable SSO and automated provisioning
hardening-user-privileges — Implement least-privilege access
enforcing-password-policies — Configure password requirements
configuring-ip-allowlists — Network access control
configuring-private-connectivity — Private network endpoints
configuring-log-export — Export logs for compliance retention

Official CockroachDB Documentation: