01 Runcreate-db-cluster-snapshot command (OSX/Linux/UNIX) to take a snapshot of the source (unencrypted) Amazon DocumentDB database cluster:
aws docdb create-db-cluster-snapshot
--region us-east-1
--db-cluster-snapshot-identifier cc-prod-cluster-snapshot
--db-cluster-identifier cc-prod-docdb-cluster
02 The command output should return the new DocumentDB cluster snapshot metadata:
{
"DBClusterSnapshot": {
"AvailabilityZones": [
"us-east-1a",
"us-east-1b",
"us-east-1c",
"us-east-1d",
"us-east-1e",
"us-east-1f"
],
"DBClusterSnapshotIdentifier": "cc-prod-cluster-snapshot",
"DBClusterIdentifier": "cc-prod-docdb-cluster",
"SnapshotCreateTime": "2022-10-19T10:04:17.179000+00:00",
"Engine": "docdb",
"Status": "creating",
"Port": 0,
"ClusterCreateTime": "2022-10-19T09:25:41.126000+00:00",
"MasterUsername": "awsmanager",
"EngineVersion": "3.6.0",
"SnapshotType": "manual",
"PercentProgress": 0,
"StorageEncrypted": true,
"DBClusterSnapshotArn": "arn:aws:rds:us-east-1:123456789012:cluster-snapshot:cc-prod-cluster-snapshot"
}
}
03 Run restore-db-cluster-from-snapshot command (OSX/Linux/UNIX) to launch a new Amazon DocumentDB database cluster from the snapshot created at the previous step. To enable encryption at rest for the new database cluster, include the --kms-key-id parameter in the command request. For master key, you can use the AWS-managed key provided by default or your own Customer Managed Key (CMK):
aws docdb restore-db-cluster-from-snapshot
--region us-east-1
--db-cluster-identifier cc-prod-encrypted-cluster
--snapshot-identifier cc-prod-cluster-snapshot
--engine docdb
--port 27017
--vpc-security-group-ids sg-abcdabcdabcdabcd
--availability-zones us-east-1a us-east-1b us-east-1c us-east-1d
--kms-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-1234abcd1234
04 The command output should return the configuration information available for the new Amazon DocumentDB cluster:
{
"DBCluster": {
"AvailabilityZones": [
"us-east-1a",
"us-east-1d",
"us-east-1b"
],
"BackupRetentionPeriod": 7,
"DBClusterIdentifier": "cc-prod-encrypted-cluster",
"DBClusterParameterGroup": "default.docdb3.6",
"DBSubnetGroup": "default",
"Status": "creating",
"Endpoint": "cc-prod-encrypted-cluster.cluster-abcdabcdabcd.us-east-1.docdb.amazonaws.com",
"ReaderEndpoint": "cc-prod-encrypted-cluster.cluster-ro-abcdabcdabcd.us-east-1.docdb.amazonaws.com",
"MultiAZ": false,
"Engine": "docdb",
"EngineVersion": "3.6.0",
"Port": 27017,
"MasterUsername": "awsmanager",
"PreferredBackupWindow": "00:00-00:30",
"PreferredMaintenanceWindow": "thu:10:00-thu:10:30",
"ReadReplicaIdentifiers": [],
"DBClusterMembers": [],
"VpcSecurityGroups": [
{
"VpcSecurityGroupId": "sg-0abcd1234abcd1234",
"Status": "active"
}
],
"StorageEncrypted": true,
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-1234abcd1234",
"DBClusterArn": "arn:aws:rds:us-east-1:123456789012:cluster:cc-prod-encrypted-cluster",
"AssociatedRoles": [],
"ClusterCreateTime": "2022-10-19T10:13:59.266000+00:00",
"DeletionProtection": false
}
}
05 Run create-db-instance command (OSX/Linux/UNIX) to add a new database instance to the newly created Amazon DocumentDB cluster. Run this command for each instance that you want to add to your database cluster. Encryption at rest will be enabled for all the database instances associated with the specified DocumentDB cluster:
aws docdb create-db-instance
--region us-east-1
--db-instance-identifier cc-prod-encrypted-cluster-001
--db-instance-class db.r4.large
--engine docdb
--availability-zone us-east-1a
--db-cluster-identifier cc-prod-encrypted-cluster
06 The command output should return the configuration information available for the new database instance:
{
"DBInstance": {
"Engine": "docdb",
"AvailabilityZone": "us-east-1a",
"DBInstanceStatus": "creating",
"PubliclyAccessible": false,
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-1234abcd1234",
"StorageEncrypted": true,
"AutoMinorVersionUpgrade": true,
...
"PreferredMaintenanceWindow": "sun:04:35-sun:05:05",
"EngineVersion": "3.6.0",
"DBClusterIdentifier": "cc-prod-encrypted-cluster",
"DBInstanceClass": "db.r4.large",
"BackupRetentionPeriod": 7,
"DBInstanceIdentifier": "cc-prod-encrypted-cluster-001",
"PendingModifiedValues": {}
}
}
07 (Optional) Run delete-db-cluster command (OSX/Linux/UNIX) to terminate the source (unencrypted) Amazon DocumentDB database cluster in order to stop adding charges for the resource. Use the --no-skip-final-snapshot parameter to create a final snapshot before the cluster is deleted:
aws docdb delete-db-cluster
--region us-east-1
--db-cluster-identifier cc-prod-docdb-cluster
--no-skip-final-snapshot
08 The output should return the delete-db-cluster command request metadata:
{
"DBCluster": {
"MasterUsername": "ccdocdbuser",
"Status": "deleting",
"LatestRestorableTime": "2022-10-19T10:27:38.543Z",
"PreferredBackupWindow": "00:00-00:30",
"DBSubnetGroup": "default",
"BackupRetentionPeriod": 7,
...
"PreferredMaintenanceWindow": "sun:10:04-sun:10:34",
"Engine": "docdb",
"ClusterCreateTime": "2022-10-19T10:14:43.111Z",
"EngineVersion": "3.6.0",
"DBClusterIdentifier": "cc-prod-docdb-cluster"
}
}
09 Repeat steps no. 1 – 8 for each DocumentDB database cluster that you want to encrypt, available in the selected AWS region.
10 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.