Open menu

Enable encryption at rest for AWS DocumentDB clusters

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that encryption is enabled for your AWS DocumentDB (with MongoDB compatibility) clusters for additional data security and in order to meet compliance requirements for data-at-rest encryption. The encrypted data includes your DocumentDB cluster's data, indexes, logs, replicas and snapshots. DocumentDB service handles data encryption and decryption transparently, with minimal impact on cluster performance.

The encryption feature available for Amazon DocumentDB clusters provides an additional layer of data protection by helping secure your data against unauthorized access to the underlying storage.

Audit

To determine if your AWS DocumentDB clusters have data-at-rest encryption enabled, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to DocumentDB dashboard at https://console.aws.amazon.com/docdb/.

03 In the left navigation panel, select Clusters.

04 Choose the AWS DocumentDB cluster that you want to examine, then click on its name, available in the Cluster identifier column.

05 On the selected cluster configuration page, within Cluster details section, check the Encryption-at-rest configuration attribute value (status). If the attribute value is set to No, the encryption at rest is not enabled for the selected Amazon DocumentDB cluster.

06 Repeat step no. 4 and 5 to verify if other AWS DocumentDB clusters, available in the current region, are using encryption at rest.

07 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) to list the identifiers (names) of all DocumentDB clusters available in the selected AWS region:

aws docdb describe-db-clusters
	--region us-east-1
	--output table
	--query 'DBClusters[*].DBClusterIdentifier'

02 The command output should return a table with the requested cluster names:

----------------------
| DescribeDBClusters |
+--------------------+
|  cc-docdb-cluster  |
|  cc-new-mongo-db   |
+--------------------+ 

03 Execute again describe-db-clusters command (OSX/Linux/UNIX) using the name of the DocumentDB cluster that you want to examine as identifier and custom query filters to return the encryption at rest feature status available for the selected cluster:

aws docdb describe-db-clusters
	--region us-east-1
	--db-cluster-identifier cc-docdb-cluster
	--query 'DBClusters[*].StorageEncrypted'

04 The command output should return the requested feature status (boolean):

[
    false
]

If describe-db-clusters command output returns false, as shown in the example above, the encryption at rest is not enabled for the selected Amazon DocumentDB cluster.

05 Repeat step no. 3 and 4 to determine if other AWS DocumentDB clusters, available within the current region, are using encryption at rest for their data.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable data-at-rest encryption for your existing Amazon DocumentDB clusters, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to DocumentDB dashboard at https://console.aws.amazon.com/docdb/

03 In the left navigation panel, select Clusters.

04 Select the AWS DocumentDB cluster that you want to encrypt (see Audit section part I to identify the right resource).

05 Click the Actions button from the dashboard top menu and select Take snapshot option.

06 On the Create cluster snapshot page, provide a name for your cluster snapshot in the Snapshot identifier box, then click Create to take the snapshot.

07 In the left navigation panel, select Snapshots.

08 Select the cluster snapshot created earlier, click the Actions button from the dashboard top menu and select Restore.

09 On the Restore snapshot page, perform the following:

  1. Provide a unique name for your new DocumentDB cluster in the Cluster identifier box.
  2. Click Show advanced settings button to expand the panel with the cluster advanced settings.
  3. Within Encryption-at-rest section, select Enable encryption radio button to enable the feature, and choose the appropriate AWS KMS key from the Master key dropdown list.
  4. Make sure that the rest of the configuration settings, available on the page, reflect the source cluster settings, then click Restore cluster to create your new (encrypted) DocumentDB cluster.

10 Go back to the navigation panel and select Instances.

11 Click the Actions button from the dashboard top menu and select Add instances to add instances to your new DocumentDB cluster.

12 On the Add instances to: <cluster-name> page, provide a name for the new instance in the Instance identifier box, select the necessary instance type from the Instance class dropdown list, then click Create to provision a new database instance inside the selected cluster. To add more than one instance to the cluster, click Add additional instance button for each instance that you want to launch within the cluster (up to 16).

13 In the left navigation panel, select Clusters.

14 Select the source (unencrypted) Amazon DocumentDB cluster, click the Actions button from the dashboard top menu, then select Delete.

15 Within the Delete <cluster-name> dialog box, perform the following actions:

  1. For Create final cluster snapshot, choose Yes to create a final snapshot before deleting the cluster, or choose No to terminate the cluster without creating a final snapshot. If you select Yes, either accept the name provided by the DocumentDB service for your final snapshot, or provide another one. If you select No, click "I acknowledge that upon cluster deletion, automated backups, including system snapshots and point-in-time recovery, will no longer be available" checkbox to acknowledge your action.
  2. Enter delete entire cluster phrase in the confirmation box, then click Delete to terminate the selected DocumentDB resource.

16 Repeat step no. 4 – 15 for each Amazon DocumentDB cluster that you want to enable encryption, available in the selected AWS region.

17 Change the AWS region from the navigation bar to repeat the remediation/resolution process for the other regions.

Using AWS CLI

01 Run create-db-cluster-snapshot command (OSX/Linux/UNIX) to take a snapshot of the source (unencrypted) Amazon DocumentDB cluster (see Audit section part II to identify the right resource):

aws docdb create-db-cluster-snapshot
	--region us-east-1
	--db-cluster-snapshot-identifier cc-docdb-cluster-snapshot
	--db-cluster-identifier cc-docdb-cluster

02 The command output should return the new DocumentDB cluster snapshot metadata:

{
    "DBClusterSnapshot": {
        "Engine": "docdb",
        "SnapshotCreateTime": "2019-01-17T16:57:07.864Z",
        "VpcId": "vpc-abcdabcd",
        "DBClusterIdentifier": "cc-docdb-cluster",
        "MasterUsername": "ccdocdbuser",
        "Status": "creating",
 
	   ...
 
        "PercentProgress": 0,
        "DBClusterSnapshotIdentifier": "cc-docdb-cluster-snapshot",
        "ClusterCreateTime": "2019-01-17T16:36:23.433Z",
        "StorageEncrypted": true,
        "EngineVersion": "3.6.0",
        "SnapshotType": "manual"
    }
}

03 Run restore-db-cluster-from-snapshot command (OSX/Linux/UNIX) to launch a new Amazon DocumentDB cluster from the snapshot created at the previous step. To enable encryption at rest for the new DocumentDB cluster, specify the appropriate KMS key ARN as the value for the --kms-key-id parameter:

aws docdb restore-db-cluster-from-snapshot
	--region us-east-1
	--db-cluster-identifier cc-docdb-cluster-encrypted
	--snapshot-identifier cc-docdb-cluster-snapshot
	--engine docdb
	--port 27017
	--vpc-security-group-ids sg-abcdabcd
	--availability-zones us-east-1a us-east-1b
	--kms-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-1234abcd1234

04 The command output should return the new DocumentDB cluster metadata:

{
    "DBCluster": {
        "MasterUsername": "ccdocdbuser",
        "HostedZoneId": "ABCDABCDABCDA",
        "Status": "creating",
        "MultiAZ": false,
        "PreferredBackupWindow": "00:00-00:30",
        "DBSubnetGroup": "default",
        "BackupRetentionPeriod": 7,
        "PreferredMaintenanceWindow": "sun:10:04-sun:10:34",
        "Engine": "docdb",
 
        ...
 
        "ClusterCreateTime": "2019-01-17T16:36:23.433Z",
        "EngineVersion": "3.6.0",
        "DBClusterIdentifier": "cc-docdb-cluster-encrypted",
        "DBClusterMembers": [],
        "Port": 27017,
        "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-1234abcd1234",
        "StorageEncrypted": true,
        "DBClusterParameterGroup": "default.docdb3.6",
        "DBClusterArn": "arn:aws:rds:us-east-1:123456789012:cluster:cc-docdb-cluster-encrypted"
    }
}

05 Run create-db-instance command (OSX/Linux/UNIX) to provision and add a new database instance to the recently created AWS DocumentDB cluster. Execute this command for each instance that you want to add to your cluster. All the database instances associated with the selected DocumentDB cluster will have encryption at rest enabled:

aws docdb create-db-instance
	--region us-east-1
	--db-instance-identifier cc-docdb-cluster-instance-1
	--db-instance-class db.r4.large
	--engine docdb
	--availability-zone us-east-1a
	--db-cluster-identifier cc-docdb-cluster-encrypted

06 The command output should return the metadata available for the new database instance:

{
    "DBInstance": {
        "Engine": "docdb",
        "AvailabilityZone": "us-east-1a",
        "DBInstanceStatus": "creating",
        "PubliclyAccessible": false,
        "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-1234abcd1234",
        "StorageEncrypted": true,
        "AutoMinorVersionUpgrade": true,
        
        ...
        
        "PreferredMaintenanceWindow": "sun:04:35-sun:05:05",
        "EngineVersion": "3.6.0",
        "DBClusterIdentifier": "cc-docdb-cluster-encrypted",
        "DBInstanceClass": "db.r4.large",
        "BackupRetentionPeriod": 5,
        "DBInstanceIdentifier": "cc-docdb-cluster-instance-1",
        "PendingModifiedValues": {}
    }
}

07 Run delete-db-cluster command (OSX/Linux/UNIX) to terminate the source (unencrypted) Amazon DocumentDB cluster, in order to stop adding charges for the resource. Use --skip-final-snapshot or --no-skip-final-snapshot parameter to specify whether a final snapshot is created before the AWS DocumentDB cluster is deleted:

aws docdb delete-db-cluster
	--region us-east-1
	--db-cluster-identifier cc-docdb-cluster
	--skip-final-snapshot

08 The command output should return the command request metadata:

{
    "DBCluster": {
        "MasterUsername": "ccdocdbuser",
        "Status": "deleting",
        "LatestRestorableTime": "2019-01-17T16:27:38.543Z",
        "PreferredBackupWindow": "00:00-00:30",
        "DBSubnetGroup": "default",
        "BackupRetentionPeriod": 7,
 
        ...
 
        "PreferredMaintenanceWindow": "sun:10:04-sun:10:34",
        "Engine": "docdb",
        "ClusterCreateTime": "2019-01-17T16:14:43.111Z",
        "EngineVersion": "3.6.0",
        "DBClusterIdentifier": "cc-docdb-cluster"
    }
} 

09 Repeat steps no. 1 – 8 for each Amazon DocumentDB cluster that you want to enable encryption, available within the selected AWS region.

10 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the entire process for other regions.

References