Open menu

AWS DocumentDB Clusters Encrypted with KMS CMKs

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that your AWS DocumentDB clusters data is encrypted with KMS Customer Master Keys (CMKs) instead of AWS managed-keys (default keys used by the DocumentDB service when there are no customer-managed keys defined) in order to have a more granular control over DocumentDB data-at-rest encryption and decryption.

When you use your own AWS KMS Customer Master Keys (CMKs) to protect your DocumentDB data (including indexes, logs, replicas and snapshots) from unauthorized users, you have full control over who can use the encryption keys to access your data. Amazon KMS service allows you to easily create, rotate, disable and audit Customer Master Keys created for your Amazon DocumentDB clusters.

Audit

To determine the encryption status and configuration for your AWS DocumentDB clusters, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to DocumentDB dashboard at https://console.aws.amazon.com/docdb/.

03 In the left navigation panel, select Clusters.

04 Choose the Amazon DocumentDB cluster that you want to examine, then click on its identifier, available in the Cluster identifier column.

05 On the selected cluster configuration page, within Cluster details section, check the Encryption-at-rest configuration attribute value (status).

06 On the selected cluster configuration page, inside the Cluster details section, make sure that encryption at rest is enabled. If the feature is not enabled, i.e. Encryption-at-rest configuration attribute value is set to No, follow the instructions outlined in this conformity rule to enable encryption at rest for the specified cluster. If the value is set to Yes, note the ARN of the key used, specified as the value for the KMS key attribute, and continue the audit with the next step.

07 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

08 In the left navigation panel, click Encryption Keys.

09 Select the appropriate AWS region from the Filter menu (must match the region where your DocumentDB cluster is running).

10 Choose the KMS key with the alias set to aws/rds, then click on its name link to access the key details.

11 On the selected KMS key configuration page, under Summary, check the key ARN listed as value for the ARN attribute. If the aws/rds key Amazon Resource Name (ARN) and the ARN identified at step no. 6 match, the selected Amazon DocumentDB cluster is encrypted using the default master key (AWS-managed key) instead of a customer-managed CMK.

12 Repeat steps no. 4 – 11 to determine the encryption status and configuration for other AWS DocumentDB clusters available in the current region.

13 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) to list the identifiers of all DocumentDB clusters available in the selected AWS region:

aws docdb describe-db-clusters
	--region us-east-1
	--output table
	--query 'DBClusters[*].DBClusterIdentifier'

02 The command output should return a table with the requested cluster identifiers (names):

-------------------------
|   DescribeDBClusters  |
+-----------------------+
|  cc-project5-cluster  |
|  cc-mongo-db-cluster  |
+-----------------------+ 

03 Run describe-db-clusters command (OSX/Linux/UNIX) using the name of the DocumentDB cluster that you want to examine as identifier and custom query filters to return the encryption at rest feature status available for the selected cluster:

aws docdb describe-db-clusters
	--region us-east-1
	--db-cluster-identifier cc-project5-cluster
	--query 'DBClusters[*].StorageEncrypted'

04 The command output should return the requested feature status (true for enabled, false for disabled):

[
    true
]

If the command output returns true, as shown in the example above, the encryption at rest is enabled for the selected DocumentDB cluster and the audit process continues with the next step. If the command output returns false, data-at-rest encryption is not enabled, therefore you can follow the instructions outlined in this conformity rule to enable encryption for your DocumentDB cluster.

05 Execute again describe-db-clusters command (OSX/Linux/UNIX) to return the ARN of the AWS KMS key used to encrypt data available on the selected AWS DocumentDB cluster:

aws docdb describe-db-clusters
	--region us-east-1
	--db-cluster-identifier cc-project5-cluster
	--query 'DBClusters[*].KmsKeyId'

06 The command output should return the requested Amazon Resource Name (ARN):

[
  "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-1234abcd1234"
]

07 Run describe-key command (OSX/Linux/UNIX) using the AWS KMS key ARN returned at the previous step as identifier and custom query filters to expose the name of the manager (either "AWS" or "CUSTOMER") for the encryption key used:

aws aws kms describe-key
	--region us-east-1
	--key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-1234abcd1234
	--query 'KeyMetadata.KeyManager'

08 The command output should return the selected key manager name:

"AWS"

If the value returned by the describe-key command output is "AWS", the encryption key manager is Amazon Web Services and not the AWS customer, therefore the selected Amazon DocumentDB cluster is encrypted with the default key (i.e. AWS-managed key) instead of a KMS Customer Master Key (CMK).

09 Repeat steps no. 3 – 8 to determine the encryption status and configuration for other AWS DocumentDB clusters available in the current region.

10 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the audit process for other regions.

Remediation / Resolution

To encrypt an existing Amazon DocumentDB cluster with your own AWS KMS Customer Master Key (CMK), perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu (must match the region where your DocumentDB cluster is provisioned).

05 Click Create Key button from the dashboard top menu.

06 In the Alias (required) and Description fields, enter a unique name (alias) and a description for the new CMK, then click the Next Step button.

07 Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click Next Step.

08 Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt the DocumentDB data with the AWS KMS API.

09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt the Amazon DocumentDB cluster data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.

10 Click Next Step to continue.

11 Under Preview Key Policy section, review the key policy generated by AWS then click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: "Your master key was created successfully. Alias: <cmk-alias>".

12 Once the KMS CMK has been created, navigate to AWS DocumentDB dashboard at https://console.aws.amazon.com/docdb/.

13 In the left navigation panel, select Clusters.

14 Select the AWS DocumentDB cluster that you want to encrypt (see Audit section part I to identify the right resource).

15 Click the Actions button from the dashboard top menu and select Take snapshot to initiate the backup process.

16 On the Create cluster snapshot page, provide a name for your cluster snapshot in the Snapshot identifier box, then click Create to take the snapshot.

17 In the left navigation panel, select Snapshots.

18 Select the cluster snapshot created at the previous step, click the Actions button from the dashboard top menu and select Restore.

19 On the Restore snapshot page, perform the following:

  1. Provide a unique name for your new DocumentDB cluster in the Cluster identifier box.
  2. Click Show advanced settings button to expand the panel with the cluster advanced settings.
  3. Inside the Encryption-at-rest section, make sure that the Enable encryption button is selected, then choose the AWS KMS CMK created earlier from the Master key dropdown list.
  4. Make sure that the rest of the configuration settings, available on the page, follow the source cluster settings, then click Restore cluster to create your new DocumentDB cluster.

20 Go back to the navigation panel and select Instances.

21 Click the Actions button from the dashboard top menu and select Add instances to add database instances to your new DocumentDB cluster.

22 On the Add instances to: <cluster-name> page, provide a name for the new instance in the Instance identifier box, select the required instance type from the Instance class dropdown list, then click Create to launch a new database instance inside the selected cluster. To add more than one instance to the cluster, click Add additional instance button for each instance that you want to create within the cluster.

23 In the left navigation panel, select Clusters.

24 Select the source Amazon DocumentDB cluster (i.e. the cluster encrypted with AWS managed key), click the Actions button from the dashboard top menu, then select Delete.

25 Within the Delete <cluster-name> dialog box, perform the following actions:

  1. For Create final cluster snapshot, choose Yes to create a final snapshot before deleting the cluster, or choose No to terminate the cluster without creating a final snapshot. If you select Yes, either accept the name provided by the DocumentDB service for your final snapshot, or provide another name. If you select No, click "I acknowledge that upon cluster deletion, automated backups, including system snapshots and point-in-time recovery, will no longer be available" checkbox to acknowledge your action.
  2. Enter delete entire cluster phrase in the confirmation box, then click Delete to terminate the selected DocumentDB resource.

26 Repeat step no. 14 – 25 to enable data-at-rest encryption using KMS Customer Master Keys for other Amazon DocumentDB clusters available within the current region.

27 Change the AWS region from the navigation bar to repeat the remediation/resolution process for the other regions.

Using AWS CLI

01 Before creating your KMS CMK key, you must define a policy that enables your selected IAM users and/or roles to administer the new KMS Customer Master Key and to encrypt/decrypt DocumentDB clusters data using the AWS KMS API. Create a new policy document called docdb-kms-cmk-policy.json and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Version": "2012-10-17",
  "Id": "docdb-custom-key-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Grant access to CMK manager",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AmazonDocDBManager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow the use of the CMK",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/DocDBAdmin"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/DocDBAdmin"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. docdb-kms-cmk-policy.json) as required command parameter to create the new KMS CMK:

aws kms create-key
	--region us-east-1
	--description 'KMS CMK for encrypting DocumentDB data'
	--policy file://docdb-kms-cmk-policy.json

03 The command output should return the new KMS CMK metadata. Copy the CMK unique ID (KeyID parameter value - highlighted) as this ID will be required later when you have to specify the key required for DocumentDB cluster encryption:

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "aaaabbbb-aaaa-bbbb-cccc-aaaabbbbcccc",
        "Description": "KMS CMK for encrypting DocumentDB data",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1517236588.270,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-aaaa-bbbb-cccc-aaaabbbbcccc",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command does not produce an output):

aws kms create-alias
	--region us-east-1
	--alias-name alias/DocDBCustomCMK
	--target-key-id arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-aaaa-bbbb-cccc-aaaabbbbcccc

05 Run create-db-cluster-snapshot command (OSX/Linux/UNIX) to take a snapshot of the source Amazon DocumentDB cluster (see Audit section part II to identify the right resource):

aws docdb create-db-cluster-snapshot
	--region us-east-1
	--db-cluster-snapshot-identifier cc-project5-cluster-snapshot
	--db-cluster-identifier cc-project5-cluster

06 The command output should return the new DocumentDB cluster snapshot metadata:

{
    "DBClusterSnapshot": {
        "Engine": "docdb",
        "SnapshotCreateTime": "2019-01-18T10:30:07.864Z",
        "VpcId": "vpc-12341234",
        "DBClusterIdentifier": "cc-project5-cluster",
        "MasterUsername": "ccdocdbuser",
        "Status": "creating",
 
	   ...
 
        "PercentProgress": 0,
        "DBClusterSnapshotIdentifier": "cc-project5-cluster-snapshot",
        "ClusterCreateTime": "2019-01-17T12:10:07.864Z",
        "StorageEncrypted": true,
        "EngineVersion": "3.6.0",
        "SnapshotType": "manual"
    }
}

07 Run restore-db-cluster-from-snapshot command (OSX/Linux/UNIX) to launch a new Amazon DocumentDB cluster from the snapshot created at the previous step. To encrypt the new DocumentDB cluster using your own AWS KMS CMK, provide the appropriate KMS Customer Master Key ARN as the value for the --kms-key-id parameter:

aws docdb restore-db-cluster-from-snapshot
	--region us-east-1
	--db-cluster-identifier cc-project5-cluster-cmk-encrypted
	--snapshot-identifier cc-project5-cluster-snapshot
	--engine docdb
	--port 27017
	--vpc-security-group-ids sg-1234abcd
	--availability-zones us-east-1b us-east-1c
	--kms-key-id arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-aaaa-bbbb-cccc-aaaabbbbcccc

08 The command output should return the new DocumentDB cluster metadata:

{
    "DBCluster": {
        "HostedZoneId": "ABCDABCDABCDA",
        "Status": "creating",
        "MultiAZ": false,
        "PreferredBackupWindow": "00:00-00:30",
        "DBSubnetGroup": "default",
        "BackupRetentionPeriod": 7,
        "PreferredMaintenanceWindow": "sun:10:04-sun:10:34",
        "Engine": "docdb",
 
        ...
 
        "EngineVersion": "3.6.0",
        "DBClusterIdentifier": "cc-project5-cluster-cmk-encrypted",
        "Port": 27017,
        "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-aaaa-bbbb-cccc-aaaabbbbcccc",
        "StorageEncrypted": true,
        "DBClusterParameterGroup": "default.docdb3.6",
        "DBClusterArn": "arn:aws:rds:us-east-1:123456789012:cc-project5-cluster-cmk-encrypted"
    }
}

09 Run create-db-instance command (OSX/Linux/UNIX) to create and add a new database instance to the recently created AWS DocumentDB cluster. Run this command for each instance that you want to add to your cluster. The data on the database instances associated with the selected DocumentDB cluster will be encrypted using the AWS KMS Customer Master Key created earlier in the process:

aws docdb create-db-instance
	--region us-east-1
	--db-instance-identifier cc-project5-cluster-instance-1
	--db-instance-class db.r4.large
	--engine docdb
	--availability-zone us-east-1a
	--db-cluster-identifier cc-project5-cluster-cmk-encrypted

10 The command output should return the metadata available for the new database instance:

{
    "DBInstance": {
        "Engine": "docdb",
        "AvailabilityZone": "us-east-1b",
        "DBInstanceStatus": "creating",
        "PubliclyAccessible": false,
        "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-aaaa-bbbb-cccc-aaaabbbbcccc",
        "StorageEncrypted": true,
        "AutoMinorVersionUpgrade": true,
        
        ...
        
        "PreferredMaintenanceWindow": "sun:04:35-sun:05:05",
        "EngineVersion": "3.6.0",
        "DBClusterIdentifier": "cc-project5-cluster-cmk-encrypted",
        "DBInstanceClass": "db.r4.large",
        "BackupRetentionPeriod": 5,
        "DBInstanceIdentifier": "cc-project5-cluster-instance-1",
        "PendingModifiedValues": {}
    }
}

11 Run delete-db-cluster command (OSX/Linux/UNIX) to terminate the source Amazon DocumentDB cluster, in order to stop adding charges for the resource. Use --skip-final-snapshot or --no-skip-final-snapshot parameter to specify whether a final snapshot is created before the AWS DocumentDB cluster is deleted:

aws docdb delete-db-cluster
	--region us-east-1
	--db-cluster-identifier cc-project5-cluster
	--skip-final-snapshot

12 The command output should return the command request metadata:

{
    "DBCluster": {
        "Status": "deleting",
        "PreferredBackupWindow": "00:00-00:30",
        "DBSubnetGroup": "default",
        "BackupRetentionPeriod": 7,
 
        ...
 
        "PreferredMaintenanceWindow": "sun:10:04-sun:10:34",
        "Engine": "docdb",
        "EngineVersion": "3.6.0",
        "DBClusterIdentifier": "cc-project5-cluster"
    }
} 

13 Repeat steps no. 1 – 12 to enable data-at-rest encryption for other Amazon DocumentDB clusters available in the current region, using AWS KMS Customer Master Keys.

14 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 13 to perform the entire process for other regions.

References