Ensure DocumentDB is encrypted at rest

Error: DocumentDB is not encrypted at rest

Bridgecrew Policy ID: BC_AWS_GENERAL_28
Checkov Check ID: CKV_AWS_74
Severity: MEDIUM

DocumentDB is not encrypted at rest


The encryption feature available for Amazon DocumentDB clusters provides an additional layer of data protection by helping secure your data against unauthorized access to the underlying storage.

Amazon DocumentDB allows you to encrypt your clusters using keys managed through the AWS Key Management Service (KMS). On a cluster running with Amazon DocumentDB encryption, data stored at rest in the underlying storage is encrypted, as are its automated backups, snapshots, and replicas in the same cluster.

Fix - Runtime


  1. Create an Amazon DocumentDB cluster.
  2. Under the Authentication section, choose Show advanced settings.
  3. Scroll down to the Encryption-at-rest section.
  4. Choose the option that you want for encryption at rest. Whichever option you choose, you can't change it after the cluster is created.

To encrypt data at rest in this cluster, choose Enable encryption.

CLI Command

aws docdb create-db-cluster \
      --db-cluster-identifier sample-cluster \
      --port 27017 \
      --engine docdb \
      --master-username yourMasterUsername \
      --master-user-password yourMasterPassword \

Fix - Buildtime


  • Resource: aws_docdb_cluster
  • Arguments: storage_encrypted - Specifies whether the DB cluster is encrypted.
resource "aws_docdb_cluster" "example" {
  cluster_identifier = "docdb-cluster-demo"
+ storage_encrypted  = true