DocumentDB storage must be encrypted
Encryption of the underlying storage used by DocumentDB ensures that if their is compromise of the disks, the data is still protected.
Impact
Unencrypted sensitive data is vulnerable to compromise.
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Enable storage encryption
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
Resources:
GoodExample:
Type: "AWS::DocDB::DBCluster"
Properties:
BackupRetentionPeriod : 8
DBClusterIdentifier : "sample-cluster"
DBClusterParameterGroupName : "default.docdb3.6"
KmsKeyId : "your-kms-key-id"
StorageEncrypted: true
EnableCloudwatchLogsExports:
- audit
- profiler
InstanceInstanceExample:
Type: "AWS::DocDB::DBInstance"
Properties:
AutoMinorVersionUpgrade: true
AvailabilityZone: "us-east-1c"
DBClusterIdentifier: "sample-cluster"
DBInstanceClass: "db.r5.large"
DBInstanceIdentifier: "sample-cluster-instance-0"
PreferredMaintenanceWindow: "sat:06:54-sat:07:24"
|
Enable storage encryption
1
2
3
4
5
6
7
8
9
10
11
|
resource "aws_docdb_cluster" "good_example" {
cluster_identifier = "my-docdb-cluster"
engine = "docdb"
master_username = "foo"
master_password = "mustbeeightchars"
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
skip_final_snapshot = true
storage_encrypted = true
}
|
Links