Ensure DocumentDB is encrypted at rest

ID

docdb_encryption_disabled

Severity

high

Vendor

AWS

Resource

DocDB

Tags

reachable

Description

Amazon DocumentDB is a fast, reliable, and fully managed database service. Amazon DocumentDB makes it easy to set up, operate, and scale MongoDB-compatible databases in the cloud.

You encrypt data at rest in your Amazon DocumentDB cluster by specifying the storage encryption option when you create your cluster. Storage encryption is enabled cluster-wide and is applied to all instances, including the primary instance and any replicas. It is also applied to your cluster’s storage volume, data, indexes, logs, automated backups, and snapshots.

Amazon DocumentDB uses the 256-bit Advanced Encryption Standard (AES-256) to encrypt your data using encryption keys stored in AWS Key Management Service (AWS KMS).

On a cluster running with Amazon DocumentDB encryption, not only data stored at rest in the underlying storage is encrypted but also as are its automated backups, snapshots, and replicas in the same cluster.

Learn more about this topic at Encrypting Amazon DocumentDB Data at Rest.

Examples

CloudFormation

{
  "Resources": {
    "MyDocDB": {
      "Type": "AWS::DocDB::DBCluster",
      "Properties": {
        "MasterUsername": "<username>",
        "MasterUserPassword": "<password>",
        "StorageEncrypted": false (1)
      }
    }
  }
}
1 StorageEncrypted set to false means that storage encryption is not enabled. 
Resources:
  DocDBEnabled:
    Type: AWS::DocDB::DBCluster
    Properties:
      MasterUsername: <name>
      MasterUserPassword: <password>
      StorageEncrypted: false (1)
1 StorageEncrypted set to false means that storage encryption is not enabled.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "MyDocDB": {
      "Type": "AWS::DocDB::DBCluster",
      "Properties": {
        "MasterUsername": "<username>",
        "MasterUserPassword": "<password>",
        "StorageEncrypted": true (1)
      }
    }
  }
}
1 StorageEncrypted set to true means that storage encryption is enabled. 
Resources:
  DocDBEnabled:
    Type: AWS::DocDB::DBCluster
    Properties:
      MasterUsername: <name>
      MasterUserPassword: <password>
      StorageEncrypted: true (1)
1 StorageEncrypted set to true means that storage encryption is enabled.

Runtime

CLI Command

aws docdb create-db-cluster --db-cluster-identifier <custer-id>> --port <port> --engine docdb --master-username <username>  --master-user-password <password> --storage-encrypted