AWS DocumentDB Database is not encrypted with the Customer Master Key (CMK)

Description:

AWS DocumentDB (with MongoDB compatibility) supports encryption at rest using AWS Key Management Service (KMS). By default, AWS uses a service-linked AWS managed CMK, but for added control and management capabilities, it's recommended to use a customer managed CMK. Failing to do so might reduce your control over the encryption keys and may lead to potential data security and compliance issues.

Remediation:

1. Encrypt Existing DocumentDB Clusters with a CMK:

AWS Management Console:
  • Navigate to the DocumentDB dashboard.
  • Choose the cluster you wish to modify.
  • Note: Direct modification of an existing cluster's encryption status isn't supported. Instead, create a snapshot of the unencrypted cluster, copy that snapshot with your CMK enabled, and then restore a new encrypted cluster from that snapshot.
AWS CLI:

To change the encryption key for an existing DocumentDB cluster to a CMK, a snapshot must be taken, copied with your CMK enabled, and then a new cluster should be restored from that encrypted snapshot.

aws docdb create-db-cluster-snapshot --db-cluster-snapshot-identifier YourSnapshotName --db-cluster-identifier YourClusterName

aws docdb copy-db-cluster-snapshot --source-db-cluster-snapshot-identifier YourSnapshotName --target-db-cluster-snapshot-identifier YourEncryptedSnapshotName --kms-key-id YourCMKKeyID

aws docdb restore-db-cluster-from-snapshot --db-cluster-identifier YourNewEncryptedClusterName --snapshot-identifier YourEncryptedSnapshotName

2. Use Encryption with CMK for New DocumentDB Clusters:

AWS Management Console:
  • Navigate to the DocumentDB dashboard.
  • Click on "Create database".
  • Under "Encryption", choose your Customer Master Key (CMK) from the dropdown.
AWS CLI:
aws docdb create-db-cluster --db-cluster-identifier YourClusterName --kms-key-id YourCMKKeyID --storage-encrypted
Terraform:

To ensure DocumentDB clusters are created with encryption using a CMK in Terraform:

resource "aws_docdb_cluster" "example" {
  cluster_identifier      = "my-docdb-cluster"
  master_username         = "root"
  master_password         = "password"
  skip_final_snapshot     = true
  
  storage_encrypted       = true
  kms_key_id              = "arn:aws:kms:region:account-id:key/key-id"
}

3. Audit and Monitor:

  • Use AWS Config to ensure that DocumentDB clusters are encrypted with a CMK.
  • Activate AWS CloudTrail to monitor and log changes to the encryption status of DocumentDB clusters.

4. Policy and Training:

Educate team members about the importance of using customer-managed keys for DocumentDB encryption. Regularly update this policy and conduct training sessions to ensure compliance.

Utilizing a Customer Master Key (CMK) for your AWS DocumentDB encryption provides an additional layer of control and security, ensuring you're meeting best security practices and compliance requirements.

Updated 5 months ago