Ensure DocDB has audit logs enabled

Error: DocDB does not have audit logs enabled

Bridgecrew Policy ID: BC_AWS_GENERAL_74
Checkov Check ID: CKV_AWS_104
Severity: LOW

DocDB does not have audit logs enabled

Description

Enabling audit logs for Amazon DocumentDB (DocDB) can help you to monitor and track activity within your DocDB cluster. Audit logs provide a record of database activity, including details about the activity itself (e.g., which database was accessed, what type of operation was performed), as well as information about the user or application that initiated the activity.

Fix - Buildtime

Terraform

  • Resource: aws_docdb_cluster_parameter_group
  • Argument: parameter.audit_logs
resource "aws_docdb_cluster_parameter_group" "test" {
	 ...
+  parameter {
+    name  = "audit_logs"
+    value = "enabled"
  }
}

CloudFormation

  • Resource: AWS::DocDB::DBClusterParameterGroup
  • Argument: Parameters.audit_logs
Resources:
	DocDBParameterGroupEnabled:
		Type: "AWS::DocDB::DBClusterParameterGroup"
		Properties:
   		...
+  		Parameters: 
+       audit_logs: "enabled"
   			...