DocumentDB logs export should be enabled Document DB does not have auditing by default. To ensure that you are able to accurately audit the usage of your DocumentDB cluster you should enable export logs.
Impact Limited visibility of audit trail for changes to the DocumentDB
Recommended Actions Follow the appropriate remediation steps below to resolve the issue.
CloudFormation
Terraform
Enable export logs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Resources:
GoodExample:
Type: "AWS::DocDB::DBCluster"
Properties:
BackupRetentionPeriod : 8
DBClusterIdentifier : "sample-cluster"
DBClusterParameterGroupName : "default.docdb3.6"
KmsKeyId : "your-kms-key-id"
EnableCloudwatchLogsExports:
- audit
- profiler
InstanceInstanceExample:
Type: "AWS::DocDB::DBInstance"
Properties:
AutoMinorVersionUpgrade: true
AvailabilityZone: "us-east-1c"
DBClusterIdentifier: "sample-cluster"
DBInstanceClass: "db.r5.large"
DBInstanceIdentifier: "sample-cluster-instance-0"
PreferredMaintenanceWindow: "sat:06:54-sat:07:24"
Enable export logs
1
2
3
4
5
6
7
8
9
10
11
resource "aws_docdb_cluster" "good_example" {
cluster_identifier = "my-docdb-cluster"
engine = "docdb"
master_username = "foo"
master_password = "mustbeeightchars"
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
skip_final_snapshot = true
enabled_cloudwatch_logs_exports = "audit"
}
Links