AWS DocumentDB Database is not encrypted with the Customer Master Key (CMK)
Description:
AWS DocumentDB (with MongoDB compatibility) supports encryption at rest using AWS Key Management Service (KMS). By default, AWS uses a service-linked AWS managed CMK, but for added control and management capabilities, it's recommended to use a customer managed CMK. Failing to do so might reduce your control over the encryption keys and may lead to potential data security and compliance issues.
Remediation:
1. Encrypt Existing DocumentDB Clusters with a CMK:
AWS Management Console:
- Navigate to the DocumentDB dashboard.
- Choose the cluster you wish to modify.
- Note: Direct modification of an existing cluster's encryption status isn't supported. Instead, create a snapshot of the unencrypted cluster, copy that snapshot with your CMK enabled, and then restore a new encrypted cluster from that snapshot.
AWS CLI:
To change the encryption key for an existing DocumentDB cluster to a CMK, a snapshot must be taken, copied with your CMK enabled, and then a new cluster should be restored from that encrypted snapshot.
aws docdb create-db-cluster-snapshot --db-cluster-snapshot-identifier YourSnapshotName --db-cluster-identifier YourClusterName
aws docdb copy-db-cluster-snapshot --source-db-cluster-snapshot-identifier YourSnapshotName --target-db-cluster-snapshot-identifier YourEncryptedSnapshotName --kms-key-id YourCMKKeyID
aws docdb restore-db-cluster-from-snapshot --db-cluster-identifier YourNewEncryptedClusterName --snapshot-identifier YourEncryptedSnapshotName
2. Use Encryption with CMK for New DocumentDB Clusters:
AWS Management Console:
- Navigate to the DocumentDB dashboard.
- Click on "Create database".
- Under "Encryption", choose your Customer Master Key (CMK) from the dropdown.
AWS CLI:
aws docdb create-db-cluster --db-cluster-identifier YourClusterName --kms-key-id YourCMKKeyID --storage-encrypted
Terraform:
To ensure DocumentDB clusters are created with encryption using a CMK in Terraform:
resource "aws_docdb_cluster" "example" {
cluster_identifier = "my-docdb-cluster"
master_username = "root"
master_password = "password"
skip_final_snapshot = true
storage_encrypted = true
kms_key_id = "arn:aws:kms:region:account-id:key/key-id"
}
3. Audit and Monitor:
- Use AWS Config to ensure that DocumentDB clusters are encrypted with a CMK.
- Activate AWS CloudTrail to monitor and log changes to the encryption status of DocumentDB clusters.
4. Policy and Training:
Educate team members about the importance of using customer-managed keys for DocumentDB encryption. Regularly update this policy and conduct training sessions to ensure compliance.
Utilizing a Customer Master Key (CMK) for your AWS DocumentDB encryption provides an additional layer of control and security, ensuring you're meeting best security practices and compliance requirements.
Updated about 1 year ago