DocumentDB logs export should be enabled Document DB does not have auditing by default. To ensure that you are able to accurately audit the usage of your DocumentDB cluster you should enable export logs.
Impact
Recommended Actions Follow the appropriate remediation steps below to resolve the issue.
CloudFormation
Terraform
Enable export logs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Resources :
GoodExample :
Type : AWS::DocDB::DBCluster
Properties :
BackupRetentionPeriod : 8
DBClusterIdentifier : sample-cluster
DBClusterParameterGroupName : default.docdb3.6
EnableCloudwatchLogsExports :
- audit
- profiler
KmsKeyId : your-kms-key-id
InstanceInstanceExample :
Type : AWS::DocDB::DBInstance
Properties :
AutoMinorVersionUpgrade : true
AvailabilityZone : us-east-1c
DBClusterIdentifier : sample-cluster
DBInstanceClass : db.r5.large
DBInstanceIdentifier : sample-cluster-instance-0
PreferredMaintenanceWindow : sat:06:54-sat:07:24
Enable export logs
1
2
3
4
5
6
7
8
9
10
resource "aws_docdb_cluster" "good_example" {
cluster_identifier = "my-docdb-cluster"
engine = "docdb"
master_username = "foo"
master_password = "mustbeeightchars"
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
skip_final_snapshot = true
enabled_cloudwatch_logs_exports = "audit"
}
Links