Ensure DocDB TLS is not disabled
ID |
docdb_tls_disabled |
Severity |
high |
Vendor |
AWS |
Resource |
DocDB |
Tags |
reachable |
Description
Amazon DocumentDB is a fast, reliable, and fully managed database service. Amazon DocumentDB makes it easy to set up, operate, and scale MongoDB-compatible databases in the cloud.
TLS can be enabled to encrypt the connection between an application and a DocDB cluster.
Examples
CloudFormation
{
"Resources": {
"MyDocDBParameterGroup": {
"Type": "AWS::DocDB::DBClusterParameterGroup",
"Properties": {
"Description": "docdb cluster parameter group",
"Family": "docdb3.6",
"Name": "test",
"Parameters": {
"tls": "disabled", (1)
"ttl_monitor": "enabled"
}
}
}
}
}| 1 | tls is disabled. |
Resources:
MyDocDBParameterGroup:
Type: AWS::DocDB::DBClusterParameterGroup
Properties:
Description: docdb cluster parameter group
Family: docdb3.6
Name: test
Parameters:
tls: "disabled" (1)
ttl_monitor: "enabled"| 1 | tls is disabled. |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"MyDocDBParameterGroup": {
"Type": "AWS::DocDB::DBClusterParameterGroup",
"Properties": {
"Description": "docdb cluster parameter group",
"Family": "docdb3.6",
"Name": "test",
"Parameters": {
"tls": "enabled", (1)
"ttl_monitor": "enabled"
}
}
}
}
}| 1 | tls is enabled. |
Resources:
MyDocDBParameterGroup:
Type: AWS::DocDB::DBClusterParameterGroup
Properties:
Description: docdb cluster parameter group
Family: docdb3.6
Name: test
Parameters:
tls: "enabled" (1)
ttl_monitor: "enabled"| 1 | tls is enabled. |
Runtime
AWS Console
To change the TLS version go to the Amazon DocumentDB Console:
-
In the navigation pane, choose
Clusters. -
Select your cluster.
-
At the bottom of that section, locate the parameter group’s name below Cluster parameter group.