Ensure that the SSL/TLS certificates configured for your Amazon DocumentDB (with MongoDB compatibility) database instances are replaced every few years as part of AWS cloud standard maintenance and security discipline.
This rule can help you work with the AWS Well-Architected Framework.
To maintain Amazon DocumentDB database security and avoid interruption of your DocumentDB applications, rotate the required SSL/TLS certificates and update the deprecated Certificate Authority (CA) certificates at the DocumentDB instance level.
Audit
To determine if the Certificate Authority (CA) certificates configured your Amazon DocumentDB database instances are outdated, perform the following actions:
Remediation / Resolution
To rotate Certificate Authority (CA) certificates configured for your Amazon DocumentDB database instances, perform the following actions:
Note: Before you configure your DocumentDB_database instances to use the new CA certificate, make sure that you update your applications connecting to your DocumentDB_databases to use the new CA certificate bundle.References
- AWS Documentation
- Security in Amazon DocumentDB
- Updating Your Amazon DocumentDB TLS Certificates
- Modifying an Amazon DocumentDB cluster
- AWS Command Line Interface (CLI) Documentation
- describe-db-clusters
- describe-db-instances
- describe-db-instances
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Rotate SSL/TLS Certificates for DocumentDB Cluster Instances
Risk Level: High