Use the Conformity Knowledge Base AI to help improve your Cloud Posture

DocumentDB Encryption Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: DocumentDB-002

Ensure that encryption of data at rest is enabled for your Amazon DocumentDB (with MongoDB compatibility) database clusters for additional data security and regulatory compliance. The encrypted data includes your DocumentDB cluster's data, indexes, logs, replicas and snapshots. Amazon DocumentDB service handles data encryption and decryption process transparently, with minimal impact on the cluster performance.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • GDPR
  • APRA
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

The encryption feature provides an additional layer of data protection for your Amazon DocumentDB database clusters and helps you secure your sensitive data against unauthorized access to the underlying storage.


Audit

To determine if encryption at rest is enabled for your Amazon DocumentDB database clusters, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DocumentDB console at https://console.aws.amazon.com/docdb.

03 In the main navigation panel, under Amazon DocumentDB, choose Clusters.

04 Click on the name (link) of the database cluster that you want to examine.

05 Select the Configuration tab to access the cluster configuration panel.

06 In the Cluster details section, under Security and network, check the Encryption-at-rest configuration attribute value. If the attribute value is set to No, the encryption of data at rest is not enabled for the selected Amazon DocumentDB database cluster.

07 Repeat steps no. 4 – 6 for each DocumentDB database cluster available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Rundescribe-db-clusters command (OSX/Linux/UNIX) to list the names of all Amazon DocumentDB database clusters available within the selected AWS region:

aws docdb describe-db-clusters
  --region us-east-1
  --output table
  --query 'DBClusters[*].DBClusterIdentifier'

02 The command output should return a table with the requested database cluster names:

---------------------------
|   DescribeDBClusters    |
+-------------------------+
|  cc-prod-docdb-cluster  |
|  cc-test-docdb-cluster  |
+-------------------------+

03 Run describe-db-clusters command (OSX/Linux/UNIX) using the name of the DocumentDB database cluster that you want to examine as identifier parameter and custom query filters to describe the encryption feature status available for the selected database cluster:

aws docdb describe-db-clusters
  --region us-east-1
  --db-cluster-identifier cc-prod-docdb-cluster
  --query 'DBClusters[*].StorageEncrypted'

04 The command output should return the feature status (false for disabled, true for enabled):

[
	false
]

If the boolean value returned by the describe-db-clusters command output is false, as shown in the example above, the encryption of data at rest is not enabled for the selected Amazon DocumentDB database cluster.

05 Repeat steps no. 3 and 4 for each DocumentDB database cluster available in the selected AWS region.

06 Change the AWS cloud region by updating the --regioncommand parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable data-at-rest encryption for your existing Amazon DocumentDB clusters, you must re-create your clusters by performing the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"DocumentDBCluster": {
			"Type": "AWS::DocDB::DBCluster",
			"Properties": {
				"DBClusterIdentifier": "cc-prod-docdb-cluster",
				"DBClusterParameterGroupName": "default.docdb3.6",
				"DBSubnetGroupName": "default",
				"MasterUsername": "[docdb-master-username]",
				"MasterUserPassword": "[docdb-master-password]",
				"Port": "27017",
				"PreferredBackupWindow": "07:30-08:30",
				"PreferredMaintenanceWindow": "sat:04:00-sat:05:00",
				"SnapshotIdentifier": "cc-prod-cluster-snapshot",
				"BackupRetentionPeriod": 7,
				"StorageEncrypted": true
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	DocumentDBCluster:
		Type: AWS::DocDB::DBCluster
		Properties:
		DBClusterIdentifier: cc-prod-docdb-cluster
		DBClusterParameterGroupName: default.docdb3.6
		DBSubnetGroupName: default
		MasterUsername: '[docdb-master-username]'
		MasterUserPassword: '[docdb-master-password]'
		Port: '27017'
		PreferredBackupWindow: '07:30-08:30'
		PreferredMaintenanceWindow: sat:04:00-sat:05:00
		SnapshotIdentifier: cc-prod-cluster-snapshot
		BackupRetentionPeriod: 7
		StorageEncrypted: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0" 
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_docdb_cluster" "documentdb-cluster" {
	cluster_identifier              = "cc-prod-docdb-cluster"
	engine                          = "docdb"
	db_cluster_parameter_group_name = "default.docdb3.6"
	db_subnet_group_name            = "default"
	port                            = 27017
	master_username                 = "[docdb-master-username]"
	master_password                 = "[docdb-master-password]"
	backup_retention_period         = 7
	preferred_backup_window         = "07:30-08:30"
	preferred_maintenance_window    = "sat:04:00-sat:05:00"
	storage_encrypted               = true
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DocumentDB console at https://console.aws.amazon.com/docdb.

03 In the main navigation panel, under Amazon DocumentDB, choose Clusters.

04 Select the database cluster that you want to re-create, choose Actions, and select Take snapshot.

05 For Create cluster snapshot, provide a unique name for your cluster snapshot in the Snapshot identifier box, then choose Create to take the cluster snapshot.

06 Select the newly created DocumentDB cluster snapshot, choose Actions, and select Restore.

07 On the Restore snapshot setup page, perform the following operations:

  1. Choose Show advanced settings, select Enable encryption for Encryption-at-rest, and select the encryption master key from the Master key dropdown list. For master key you can use the AWS-managed key provided by default (i.e. (default) aws/rds) or your own Customer Managed Key (CMK).
  2. Configure all the required cluster settings based on your application requirements, then choose Restore cluster to deploy your new Amazon DocumentDB database cluster.

08 (Optional) To delete the source (unencrypted) DocumentDB database cluster in order to avoid additional charges on your AWS bill, perform the following operations:

  1. Select the unencrypted database cluster that you want to delete, choose Actions, and select Delete.
  2. In the confirmation window, choose Yes for Create final cluster snapshot?, provide a name for the cluster snapshot in the Final snapshot name box, type delete entire cluster into the required field to confirm the resource deletion, then choose Delete to remove the cluster from your AWS account.

09 Repeat steps no. 4 – 8 for each DocumentDB database cluster that you want to encrypt, available within the current AWS region.

10 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Runcreate-db-cluster-snapshot command (OSX/Linux/UNIX) to take a snapshot of the source (unencrypted) Amazon DocumentDB database cluster:

aws docdb create-db-cluster-snapshot
  --region us-east-1
  --db-cluster-snapshot-identifier cc-prod-cluster-snapshot
  --db-cluster-identifier cc-prod-docdb-cluster

02 The command output should return the new DocumentDB cluster snapshot metadata:

{
	"DBClusterSnapshot": {
		"AvailabilityZones": [
			"us-east-1a",
			"us-east-1b",
			"us-east-1c",
			"us-east-1d",
			"us-east-1e",
			"us-east-1f"
		],
		"DBClusterSnapshotIdentifier": "cc-prod-cluster-snapshot",
		"DBClusterIdentifier": "cc-prod-docdb-cluster",
		"SnapshotCreateTime": "2022-10-19T10:04:17.179000+00:00",
		"Engine": "docdb",
		"Status": "creating",
		"Port": 0,
		"ClusterCreateTime": "2022-10-19T09:25:41.126000+00:00",
		"MasterUsername": "awsmanager",
		"EngineVersion": "3.6.0",
		"SnapshotType": "manual",
		"PercentProgress": 0,
		"StorageEncrypted": true,
		"DBClusterSnapshotArn": "arn:aws:rds:us-east-1:123456789012:cluster-snapshot:cc-prod-cluster-snapshot"
	}
}

03 Run restore-db-cluster-from-snapshot command (OSX/Linux/UNIX) to launch a new Amazon DocumentDB database cluster from the snapshot created at the previous step. To enable encryption at rest for the new database cluster, include the --kms-key-id parameter in the command request. For master key, you can use the AWS-managed key provided by default or your own Customer Managed Key (CMK):

aws docdb restore-db-cluster-from-snapshot
  --region us-east-1
  --db-cluster-identifier cc-prod-encrypted-cluster
  --snapshot-identifier cc-prod-cluster-snapshot
  --engine docdb
  --port 27017
  --vpc-security-group-ids sg-abcdabcdabcdabcd
  --availability-zones us-east-1a us-east-1b us-east-1c us-east-1d
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-1234abcd1234

04 The command output should return the configuration information available for the new Amazon DocumentDB cluster:

{
	"DBCluster": {
		"AvailabilityZones": [
			"us-east-1a",
			"us-east-1d",
			"us-east-1b"
		],
		"BackupRetentionPeriod": 7,
		"DBClusterIdentifier": "cc-prod-encrypted-cluster",
		"DBClusterParameterGroup": "default.docdb3.6",
		"DBSubnetGroup": "default",
		"Status": "creating",
		"Endpoint": "cc-prod-encrypted-cluster.cluster-abcdabcdabcd.us-east-1.docdb.amazonaws.com",
		"ReaderEndpoint": "cc-prod-encrypted-cluster.cluster-ro-abcdabcdabcd.us-east-1.docdb.amazonaws.com",
		"MultiAZ": false,
		"Engine": "docdb",
		"EngineVersion": "3.6.0",
		"Port": 27017,
		"MasterUsername": "awsmanager",
		"PreferredBackupWindow": "00:00-00:30",
		"PreferredMaintenanceWindow": "thu:10:00-thu:10:30",
		"ReadReplicaIdentifiers": [],
		"DBClusterMembers": [],
		"VpcSecurityGroups": [
			{
				"VpcSecurityGroupId": "sg-0abcd1234abcd1234",
				"Status": "active"
			}
		],
		"StorageEncrypted": true,
		"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-1234abcd1234",
		"DBClusterArn": "arn:aws:rds:us-east-1:123456789012:cluster:cc-prod-encrypted-cluster",
		"AssociatedRoles": [],
		"ClusterCreateTime": "2022-10-19T10:13:59.266000+00:00",
		"DeletionProtection": false
	}
}

05 Run create-db-instance command (OSX/Linux/UNIX) to add a new database instance to the newly created Amazon DocumentDB cluster. Run this command for each instance that you want to add to your database cluster. Encryption at rest will be enabled for all the database instances associated with the specified DocumentDB cluster:

aws docdb create-db-instance
  --region us-east-1
  --db-instance-identifier cc-prod-encrypted-cluster-001
  --db-instance-class db.r4.large
  --engine docdb
  --availability-zone us-east-1a
  --db-cluster-identifier cc-prod-encrypted-cluster

06 The command output should return the configuration information available for the new database instance:

{
	"DBInstance": {
		"Engine": "docdb",
		"AvailabilityZone": "us-east-1a",
		"DBInstanceStatus": "creating",
		"PubliclyAccessible": false,
		"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-1234abcd1234",
		"StorageEncrypted": true,
		"AutoMinorVersionUpgrade": true,


		...


		"PreferredMaintenanceWindow": "sun:04:35-sun:05:05",
		"EngineVersion": "3.6.0",
		"DBClusterIdentifier": "cc-prod-encrypted-cluster",
		"DBInstanceClass": "db.r4.large",
		"BackupRetentionPeriod": 7,
		"DBInstanceIdentifier": "cc-prod-encrypted-cluster-001",
		"PendingModifiedValues": {}
	}
}

07 (Optional) Run delete-db-cluster command (OSX/Linux/UNIX) to terminate the source (unencrypted) Amazon DocumentDB database cluster in order to stop adding charges for the resource. Use the --no-skip-final-snapshot parameter to create a final snapshot before the cluster is deleted:

aws docdb delete-db-cluster
  --region us-east-1
  --db-cluster-identifier cc-prod-docdb-cluster
  --no-skip-final-snapshot

08 The output should return the delete-db-cluster command request metadata:

{
	"DBCluster": {
		"MasterUsername": "ccdocdbuser",
		"Status": "deleting",
		"LatestRestorableTime": "2022-10-19T10:27:38.543Z",
		"PreferredBackupWindow": "00:00-00:30",
		"DBSubnetGroup": "default",
		"BackupRetentionPeriod": 7,

		...

		"PreferredMaintenanceWindow": "sun:10:04-sun:10:34",
		"Engine": "docdb",
		"ClusterCreateTime": "2022-10-19T10:14:43.111Z",
		"EngineVersion": "3.6.0",
		"DBClusterIdentifier": "cc-prod-docdb-cluster"
	}
}

09 Repeat steps no. 1 – 8 for each DocumentDB database cluster that you want to encrypt, available in the selected AWS region.

10 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References