Enable Storage Encryption | Vulnerability Database

DocumentDB storage must be encrypted

Unencrypted sensitive data is vulnerable to compromise. Encryption of the underlying storage used by DocumentDB ensures that if their is compromise of the disks, the data is still protected.

Impact

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Enable storage encryption

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22


Resources:
  GoodExample:
    Type: AWS::DocDB::DBCluster
    Properties:
      BackupRetentionPeriod: 8
      DBClusterIdentifier: sample-cluster
      DBClusterParameterGroupName: default.docdb3.6
      EnableCloudwatchLogsExports:
        - audit
        - profiler
      KmsKeyId: your-kms-key-id
      StorageEncrypted: true

  InstanceInstanceExample:
    Type: AWS::DocDB::DBInstance
    Properties:
      AutoMinorVersionUpgrade: true
      AvailabilityZone: us-east-1c
      DBClusterIdentifier: sample-cluster
      DBInstanceClass: db.r5.large
      DBInstanceIdentifier: sample-cluster-instance-0
      PreferredMaintenanceWindow: sat:06:54-sat:07:24

Enable storage encryption

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


resource "aws_docdb_cluster" "good_example" {
  cluster_identifier      = "my-docdb-cluster"
  engine                  = "docdb"
  master_username         = "foo"
  master_password         = "mustbeeightchars"
  backup_retention_period = 5
  preferred_backup_window = "07:00-09:00"
  skip_final_snapshot     = true
  storage_encrypted       = true
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#storage_encrypted