Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Log Exports

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: DocumentDB-004

Ensure that all your Amazon DocumentDB clusters are using the Log Exports feature in order to publish audit logs directly to CloudWatch Logs. The events recorded by Log Exports include events such as successful and failed authentication attempts, creating indexes, or dropping collections in DocumentDB databases.

This rule can help you with the following compliance standards:

  • APRA

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Reliability
Performance
efficiency
Operational
excellence

By default, auditing is disabled for all DocumentDB database clusters. Once the Log Exports feature is enabled, Amazon DocumentDB (with MongoDB compatibility) starts sending Data Definition Language (DDL), authentication, authorization, and user management events to CloudWatch Logs, a service that monitors, stores and accesses your log files from a variety of sources within your AWS cloud account. This enables you to analyze, monitor, and archive Amazon DocumentDB auditing events for security and compliance requirements.

Audit

To determine if your Amazon DocumentDB database clusters are using the Log Exports feature to publish audit logs to CloudWatch Logs, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DocumentDB console at https://console.aws.amazon.com/docdb.

03 In the main navigation panel, under Amazon DocumentDB, choose Clusters.

04 Click on the name (link) of the database cluster that you want to examine.

05 Select the Configuration tab to access the cluster configuration panel.

06 In the Cluster details section, check the CloudWatch logs enabled configuration attribute value. If the CloudWatch logs enabled value is different than audit, the Log Exports feature is not enabled for the selected Amazon DocumentDB database cluster, therefore the database audit logs are not published to CloudWatch Logs.

07 Repeat steps no. 4 – 6 for each DocumentDB database cluster available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Rundescribe-db-clusters command (OSX/Linux/UNIX) to list the names of all Amazon DocumentDB database clusters available within the selected AWS region: 

aws docdb describe-db-clusters
  --region us-east-1
  --output table
  --query 'DBClusters[*].DBClusterIdentifier'

02 The command output should return a table with the requested database cluster names: 

---------------------------
|   DescribeDBClusters    |
+-------------------------+
|  cc-prod-docdb-cluster  |
|  cc-test-docdb-cluster  |
+-------------------------+

03 Run describe-db-clusters command (OSX/Linux/UNIX) using the name of the Amazon DocumentDB database cluster that you want to examine as identifier parameter and custom query filters to list the log types that the selected database cluster is configured to export to CloudWatch Logs: 

aws docdb describe-db-clusters
  --region us-east-1
  --db-cluster-identifier cc-prod-docdb-cluster
  --query 'DBClusters[*].EnabledCloudwatchLogsExports'

04 The command output should return the requested configuration information: 

[]

If the describe-db-clusters command output returns an empty array (i.e. []), as shown in the example above, the Log Exports feature is not enabled for the selected Amazon DocumentDB database cluster.

05 Repeat steps no. 3 and 4 for each DocumentDB database cluster available in the selected AWS region.

06 Change the AWS cloud region by updating the --regioncommand parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable Log Exports feature for your existing DocumentDB database clusters in order to publish audit logs to Amazon CloudWatch, perform the following actions:

Note: To fully enable audit logging for your Amazon DocumentDB clusters, ensure that the "audit_logs" parameter is configured within the non-default parameter group associated with your DocumentDB clusters.

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"DocumentDBClusterParamGroup": {
			"Type": "AWS::DocDB::DBClusterParameterGroup",
			"Properties": {
				"Family": "docdb3.6",
				"Name": "cc-prod-cluster-parameter-group",
				"Parameters": [
					{
						"audit_logs": "enabled"
					}
				]
			}
		},
		"DocumentDBCluster": {
			"Type": "AWS::DocDB::DBCluster",
			"Properties": {
				"DBClusterIdentifier": "cc-prod-docdb-cluster",
				"DBSubnetGroupName": "default",
				"DBClusterParameterGroupName": {
					"Ref": "DocumentDBClusterParamGroup"
				},
				"MasterUsername": "[docdb-master-username]",
				"MasterUserPassword": "[docdb-master-password]",
				"Port": "27017",
				"PreferredBackupWindow": "07:30-08:30",
				"PreferredMaintenanceWindow": "sat:04:00-sat:05:00",
				"SnapshotIdentifier": "cc-prod-cluster-snapshot",
				"StorageEncrypted": true,
				"BackupRetentionPeriod": 7,
				"EnableCloudwatchLogsExports": [
					"audit"
				]
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	DocumentDBClusterParamGroup:
		Type: AWS::DocDB::DBClusterParameterGroup
		Properties:
		Family: docdb3.6
		Name: cc-prod-cluster-parameter-group
		Parameters:
			- audit_logs: enabled
	DocumentDBCluster:
		Type: AWS::DocDB::DBCluster
		Properties:
		DBClusterIdentifier: cc-prod-docdb-cluster
		DBSubnetGroupName: default
		DBClusterParameterGroupName: !Ref 'DocumentDBClusterParamGroup'
		MasterUsername: '[docdb-master-username]'
		MasterUserPassword: '[docdb-master-password]'
		Port: '27017'
		PreferredBackupWindow: '07:30-08:30'
		PreferredMaintenanceWindow: sat:04:00-sat:05:00
		SnapshotIdentifier: cc-prod-cluster-snapshot
		StorageEncrypted: true
		BackupRetentionPeriod: 7
		EnableCloudwatchLogsExports:
			- audit

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0" 
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_docdb_cluster_parameter_group" "docdb-cluster-parameter-group" {
	name   = "cc-prod-cluster-parameter-group"
	family = "docdb3.6"

	parameter {
	name  = "audit_logs"
	value = "enabled"
	}

}

resource "aws_docdb_cluster" "documentdb-cluster" {
	cluster_identifier              = "cc-prod-docdb-cluster"
	engine                          = "docdb"
	db_subnet_group_name            = "default"
	db_cluster_parameter_group_name = aws_docdb_cluster_parameter_group.docdb-cluster-parameter-group.name
	port                            = 27017
	master_username                 = "[docdb-master-username]"
	master_password                 = "[docdb-master-password]"
	storage_encrypted               = true
	backup_retention_period         = 7
	preferred_backup_window         = "07:30-08:30"
	preferred_maintenance_window    = "sat:04:00-sat:05:00"
	enabled_cloudwatch_logs_exports = "audit"
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DocumentDB console at https://console.aws.amazon.com/docdb.

03 In the main navigation panel, under Amazon DocumentDB, choose Clusters.

04 Click on the name (link) of the database cluster that you want to reconfigure.

05 Select the Configuration tab to access the cluster configuration panel.

06 In the Cluster details section choose Modify to modify the logging configuration settings available for the selected cluster.

07 In the Log exports section, select the Audit logs checkbox to enable audit logging for the selected DocumentDB database cluster.

08 Choose Continue and review the configuration changes that you want to apply, available in the Summary of modifications section.

09 In the Scheduling of modifications section, perform one of the following actions based on your workload requirements:

  1. Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
  2. Select Apply immediately to apply the changes right away. With this option any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window configured for the selected database cluster. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your DocumentDB application.
  3. Choose Modify cluster to apply the configuration changes.

10 Repeat steps no. 4 – 9 for each DocumentDB database cluster available within the current AWS region.

11 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run modify-db-cluster command (OSX/Linux/UNIX) to enable the Log Exports feature (i.e. audit logging) for the selected Amazon DocumentDB database cluster. The following command request example makes use of --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your DocumentDB application. If you skip adding the --apply-immediately parameter to the command request, Amazon DocumentDB will apply your changes during the next maintenance window: 

aws docdb modify-db-cluster
  --region us-east-1
  --db-cluster-identifier cc-prod-docdb-cluster
  --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'
  --apply-immediately

02 The command output should return the configuration information available for the modified DocumentDB cluster: 

{
	"DBCluster": {
		"VpcSecurityGroups": [
			{
				"Status": "active",
				"VpcSecurityGroupId": "sg-0abcd1234abcd1234"
			}
		],
		"Status": "available",
		"MultiAZ": false,
		"LatestRestorableTime": "2022-10-18T11:19:01.311Z",
		"PreferredBackupWindow": "00:00-00:30",
		"DBSubnetGroup": "default",
		"BackupRetentionPeriod": 7,
		"PreferredMaintenanceWindow": "sun:10:04-sun:10:34",
		"Engine": "docdb",

		...

		"EarliestRestorableTime": "2022-10-18T12:19:01.311Z",
		"ClusterCreateTime": "2022-10-13T11:11:43.111Z",
		"EngineVersion": "3.6.0",
		"DBClusterIdentifier": "cc-prod-docdb-cluster",
		"StorageEncrypted": true,
		"AssociatedRoles": [],
		"DBClusterParameterGroup": "default.docdb3.6",
		"AvailabilityZones": [
			"us-east-1b",
			"us-east-1c"
		],
		"Port": 27017
	}
}

03 Repeat steps no. 1 and 2 for each Amazon DocumentDB database cluster available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Related DocumentDB rules