Ensure DocDB TLS is not disabled

Error: DocDB TLS is disabled

Bridgecrew Policy ID: BC_AWS_NETWORKING_37
Checkov Check ID: CKV_AWS_90
Severity: MEDIUM

DocDB TLS is disabled

Description

TLS can be used to encrypt the connection between an application and a DocDB cluster. By default, encryption in transit is enabled for newly created clusters. It can optionally be disabled when the cluster is created, or at a later time. When enabled, secure connections using TLS are required to connect to the cluster.

Fix - Runtime

AWS Console

  1. Sign in to the AWS Management Console, and open the Amazon DocumentDB console at https://console.aws.amazon.com/docdb.
  2. In the left navigation pane, choose Clusters.
  3. In the list of clusters, select the name of your cluster.
  4. The resulting page shows the details of the cluster that you selected. Scroll down to Cluster details. At the bottom of that section, locate the parameter group's name below Cluster parameter group.

CLI Command

aws docdb describe-db-clusters \
    --db-cluster-identifier sample-cluster \
    --query 'DBClusters[*].[DBClusterIdentifier,DBClusterParameterGroup]'

Fix - Buildtime

Terraform

  • Resource: aws_docdb_cluster_parameter_group
  • Argument: parameter - (Optional) A list of documentDB parameters to apply.
resource "aws_docdb_cluster_parameter_group" "example" {
  ...
  name        = "example"
+ parameter {
+   name  = "tls"
+   value = "enabled"
+  }
}

CloudFormation

  • Resource: AWS::DocDB::DBClusterParameterGroup
  • Argument: Parameters.tls
Resources:
  DocDBParameterGroupEnabled:
    Type: AWS::DocDB::DBClusterParameterGroup
    Properties: 
     	...
      Parameters: 
      	...
-       tls: "disabled"
+				tls: "enabled"