Ensure AWS DocumentDB logging is enabled

Error: AWS DocumentDB logging is not enabled

Bridgecrew Policy ID: BC_AWS_LOGGING_19
Checkov Check ID: CKV_AWS_85
Severity: MEDIUM

AWS DocumentDB logging is not enabled


The events recorded by the AWS DocumentDB audit logs include: successful and failed authentication attempts, creating indexes or dropping a collection in a database within the DocumentDB cluster.

AWS CloudWatch logs are a service that monitors, stores and accesses your log files from a variety of sources within your AWS account. When logging is enabled information such as Data Definition Language, authentication, authorization, and user management events are sent to AWS CloudWatch logs. This information can be used to analyze, monitor and archive your Amazon DocumentDB auditing events for security and compliance requirements.

Fix - Runtime

AWS Console

  1. Log in to the AWS Management Console at [https://console.aws.amazon.com/].
  2. Open the Amazon DocumentDB.
  3. In the navigation pane, choose Clusters.
  4. Specify the cluster that you want to modify by choosing the button to the left of the cluster's name.
  5. Choose Actions, then click Modify.
  6. In the Modify Cluster: pane.
  7. Go to Log Exports and enable exporting audit or profiler logs.

CLI Command

Use the modify-db-cluster operation to modify the specified cluster using the AWS CLI.

aws docdb modify-db-cluster \
   --db-cluster-identifier sample-cluster \
   --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'

Fix - Buildtime


  • Resource: aws_docdb_cluster
  • Argument: enabled_cloudwatch_logs_exports - (Optional) List of log types to export to cloudwatch. If omitted, no logs will be exported. The following log types are supported: audit, profiler.
resource "aws_docdb_cluster" "docdb" {
  cluster_identifier      = "my-docdb-cluster"
+ enabled_cloudwatch_logs_exports  = ["audit", "profiler"]