Ensure DocumentDB is encrypted at rest

Error: DocumentDB is not encrypted at rest

Bridgecrew Policy ID: BC_AWS_GENERAL_28
Checkov Check ID: CKV_AWS_74
Severity: MEDIUM

DocumentDB is not encrypted at rest

Description

The encryption feature available for Amazon DocumentDB clusters provides an additional layer of data protection by helping secure your data against unauthorized access to the underlying storage.

Amazon DocumentDB allows you to encrypt your clusters using keys managed through the AWS Key Management Service (KMS). On a cluster running with Amazon DocumentDB encryption, data stored at rest in the underlying storage is encrypted, as are its automated backups, snapshots, and replicas in the same cluster.

Fix - Runtime

Procedure

  1. Create an Amazon DocumentDB cluster.
  2. Under the Authentication section, choose Show advanced settings.
  3. Scroll down to the Encryption-at-rest section.
  4. Choose the option that you want for encryption at rest. Whichever option you choose, you can't change it after the cluster is created.

To encrypt data at rest in this cluster, choose Enable encryption.

CLI Command

aws docdb create-db-cluster \
      --db-cluster-identifier sample-cluster \
      --port 27017 \
      --engine docdb \
      --master-username yourMasterUsername \
      --master-user-password yourMasterPassword \
      --storage-encrypted

Fix - Buildtime

Terraform

  • Resource: aws_docdb_cluster
  • Arguments: storage_encrypted - Specifies whether the DB cluster is encrypted.
resource "aws_docdb_cluster" "example" {
  ...
  cluster_identifier = "docdb-cluster-demo"
+ storage_encrypted  = true
  ...
}