AWS DocumentDB Database Storage is not encrypted


AWS DocumentDB (with MongoDB compatibility) supports encryption at rest, which provides an additional data protection layer by securing your data from unauthorized access to the underlying storage. If AWS DocumentDB is not encrypted, it could lead to potential unauthorized data access, data breaches, or compliance violations.


1. Encrypt Existing DocumentDB Clusters:

AWS Management Console:
  • Navigate to the DocumentDB dashboard.
  • Choose the cluster you wish to modify.
  • Note: Direct modification of an existing cluster's encryption status isn't supported. Instead, create a snapshot of the unencrypted cluster, copy that snapshot with encryption enabled, and then restore a new encrypted cluster from that snapshot.

To change the encryption for an existing DocumentDB cluster, a snapshot must be taken, copied with encryption enabled, and then a new cluster should be restored from that encrypted snapshot.

aws docdb create-db-cluster-snapshot --db-cluster-snapshot-identifier YourSnapshotName --db-cluster-identifier YourClusterName

aws docdb copy-db-cluster-snapshot --source-db-cluster-snapshot-identifier YourSnapshotName --target-db-cluster-snapshot-identifier YourEncryptedSnapshotName --kms-key-id default

aws docdb restore-db-cluster-from-snapshot --db-cluster-identifier YourNewEncryptedClusterName --snapshot-identifier YourEncryptedSnapshotName

2. Use Encryption for New DocumentDB Clusters:

AWS Management Console:
  • Navigate to the DocumentDB dashboard.
  • Click on "Create database".
  • Under "Encryption", ensure the "Enable encryption" option is selected.
aws docdb create-db-cluster --db-cluster-identifier YourClusterName --storage-encrypted

To ensure DocumentDB clusters are created with encryption using Terraform:

resource "aws_docdb_cluster" "example" {
  cluster_identifier      = "my-docdb-cluster"
  master_username         = "root"
  master_password         = "password"
  skip_final_snapshot     = true
  storage_encrypted       = true

3. Audit and Monitor:

  • Utilize AWS Config to ensure that DocumentDB clusters are encrypted.
  • Activate AWS CloudTrail to monitor and log changes to the encryption status of DocumentDB clusters.

4. Policy and Training:

Inform team members about the requirement to use encryption for DocumentDB databases. Regularly review and update this policy, and conduct training sessions to reinforce this standard.

Ensuring that your AWS DocumentDB storage is encrypted at rest is paramount for safeguarding your data and meeting best security practices and compliance requirements.