DocumentDB logs export should be enabled Document DB does not have auditing by default. To ensure that you are able to accurately audit the usage of your DocumentDB cluster you should enable export logs.
Impact
Recommended Actions Follow the appropriate remediation steps below to resolve the issue.
CloudFormation
Terraform
Enable export logs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Resources :
GoodExample :
Type : AWS::DocDB::DBCluster
Properties :
DBClusterIdentifier : sample-cluster
DBClusterParameterGroupName : default.docdb3.6
EnableCloudwatchLogsExports :
- audit
- profiler
InstanceInstanceExample :
Type : AWS::DocDB::DBInstance
Properties :
DBClusterIdentifier : sample-cluster
DBInstanceClass : db.r5.large
DBInstanceIdentifier : sample-cluster-instance-0
Enable export logs
1
2
3
4
5
6
resource "aws_docdb_cluster" "good_example" {
cluster_identifier = "my-docdb-cluster"
master_username = "foo"
master_password = "mustbeeightchars"
enabled_cloudwatch_logs_exports = "audit"
}
1
2
3
4
5
6
resource "aws_docdb_cluster" "good_example" {
cluster_identifier = "my-docdb-cluster"
master_username = "foo"
master_password = "mustbeeightchars"
enabled_cloudwatch_logs_exports = "profiler"
}
Links