Use the Conformity Knowledge Base AI to help improve your Cloud Posture

DocumentDB Clusters Encrypted with KMS CMKs

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: DocumentDB-003

Ensure that your Amazon DocumentDB database clusters are using KMS Customer Managed Keys (CMKs) instead of AWS managed-keys (default keys provided by Amazon DocumentDB when there are no customer managed keys defined) in order to have a more granular control over your cluster data encryption/decryption process.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When you define and use your own Amazon KMS Customer Managed Keys (CMKs) to protect your DocumentDB data, you gain full control over who can use these keys to access the cluster data (including the cluster indexes, logs, replicas, and snapshots). The Amazon KMS service allows you to create, rotate, disable, and audit CMKs for your DocumentDB clusters.


Audit

To determine the encryption status and configuration for your Amazon DocumentDB database clusters, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon DocumentDB console at https://console.aws.amazon.com/docdb.

03 In the main navigation panel, under Amazon DocumentDB, choose Clusters.

04 Click on the name (link) of the database cluster that you want to examine.

05 Select the Configuration tab to access the cluster configuration panel.

06 In the Cluster details section, under Security and network, check the Encryption-at-rest attribute value. If the attribute value is set to No, the encryption at rest is not enabled for the selected DocumentDB cluster. If Encryption-at-rest is set to Yes, copy the KMS key attribute value (i.e. key ARN).

07 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

08 In the main navigation panel, under Key Management Service (KMS), select AWS managed keys.

09 Paste the KMS key ARN copied at step no. 6 into the Filter keys by properties or tags and press Enter. If the Amazon KMS console returns a key entry with the alias (name) set to aws/rds, the data on the selected Amazon DocumentDB database cluster is encrypted using the default master key (AWS-managed key) instead of a customer-provided Customer Managed Key (CMK).

10 Repeat steps no. 4 – 9 for each DocumentDB database cluster available within the current AWS region.

11 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Rundescribe-db-clusters command (OSX/Linux/UNIX) to list the names of all Amazon DocumentDB database clusters available within the selected AWS region:

aws docdb describe-db-clusters
  --region us-east-1
  --output table
  --query 'DBClusters[*].DBClusterIdentifier'

02 The command output should return a table with the requested database cluster names:

---------------------------
|   DescribeDBClusters    |
+-------------------------+
|  cc-prod-docdb-cluster  |
|  cc-test-docdb-cluster  |
+-------------------------+

03 Run describe-db-clusters command (OSX/Linux/UNIX) using the name of the DocumentDB database cluster that you want to examine as identifier parameter and custom query filters to describe the ARN of the KMS key used to encrypt the data on the selected cluster:

aws docdb describe-db-clusters
  --region us-east-1
  --db-cluster-identifier cc-prod-docdb-cluster
  --query 'DBClusters[*].KmsKeyId'

04 The command output should return the requested ARN or an empty array (i.e. []) if there is no master key used to encrypt the cluster's data (i.e. the encryption at rest is not enabled):

"arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"

05 Run describe-key command (OSX/Linux/UNIX) using the ARN of the master key returned at the previous step as the identifier parameter to describe manager of the specified KMS key:

aws kms describe-key
  --region us-east-1
  --key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
  --query 'KeyMetadata.KeyManager'

06 The command output should the master key manager ("AWS" if the master key is AWS-managed, and "CUSTOMER" if the key is customer-managed):

"AWS"

If the describe-key command output returns "AWS", as shown in the example above, the data on the selected Amazon DocumentDB database cluster is encrypted at rest using the default master key (AWS-managed key) instead of a Customer Managed Key (CMK).

07 Repeat steps no. 3 – 6 for each DocumentDB database cluster available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To encrypt an existing Amazon DocumentDB database cluster with your own KMS Customer Managed Key (CMK), you must re-create the cluster with the necessary encryption configuration. To create a new CMK, set up the new DocumentDB cluster, and enable custom encryption, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"KMSKEY": {
			"Type": "AWS::KMS::Key",
			"Properties": {
				"Enabled": true,
				"KeySpec": "SYMMETRIC_DEFAULT",
				"KeyUsage": "ENCRYPT_DECRYPT",
				"Description": "Symmetric Amazon KMS Customer Master Key",
				"EnableKeyRotation": true,
				"KeyPolicy": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Sid": "Enable IAM User Permissions",
							"Effect": "Allow",
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:root"
							},
							"Action": "kms:*",
							"Resource": "*"
						},
						{
							"Sid": "Allow access for Key Administrators",
							"Effect": "Allow",
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
							},
							"Action": [
								"kms:Create*",
								"kms:Describe*",
								"kms:Enable*",
								"kms:List*",
								"kms:Put*",
								"kms:Update*",
								"kms:Revoke*",
								"kms:Disable*",
								"kms:Get*",
								"kms:Delete*",
								"kms:TagResource",
								"kms:UntagResource",
								"kms:ScheduleKeyDeletion",
								"kms:CancelKeyDeletion"
							],
							"Resource": "*"
						},
						{
							"Sid": "Allow use of the key",
							"Effect": "Allow",
							"Principal": {
								"AWS": [
									"arn:aws:iam::123456789012:user/cloud-resource-manager"
								]
							},
							"Action": [
								"kms:Encrypt",
								"kms:Decrypt",
								"kms:ReEncrypt*",
								"kms:GenerateDataKey*",
								"kms:DescribeKey"
							],
							"Resource": "*"
						},
						{
							"Sid": "Allow attachment of persistent resources",
							"Effect": "Allow",
							"Principal": {
								"AWS": [
									"arn:aws:iam::123456789012:user/cloud-resource-manager"
								]
							},
							"Action": [
								"kms:CreateGrant",
								"kms:ListGrants",
								"kms:RevokeGrant"
							],
							"Resource": "*",
							"Condition": {
								"Bool": {
									"kms:GrantIsForAWSResource": "true"
								}
							}
						}
					]
				}
			}
		},
		"KMSKEYAlias": {
			"Type": "AWS::KMS::Alias",
			"Properties": {
				"AliasName": "alias/DocDBDataCMK",
				"TargetKeyId": {
					"Ref": "KMSKEY"
				}
			}
		},
		"DocumentDBCluster": {
			"Type": "AWS::DocDB::DBCluster",
			"Properties": {
				"DBClusterIdentifier": "cc-prod-docdb-cluster",
				"DBClusterParameterGroupName": "default.docdb3.6",
				"DBSubnetGroupName": "default",
				"Port": "27017",
				"MasterUsername": "[docdb-master-username]",
				"MasterUserPassword": "[docdb-master-password]",
				"PreferredBackupWindow": "07:30-08:30",
				"PreferredMaintenanceWindow": "sat:04:00-sat:05:00",
				"SnapshotIdentifier": "cc-prod-cluster-snapshot",
				"BackupRetentionPeriod": 7,
				"StorageEncrypted": true,
				"KmsKeyId": {
					"Ref": "KMSKEY"
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	KMSKEY:
		Type: AWS::KMS::Key
		Properties:
		Enabled: true
		KeySpec: SYMMETRIC_DEFAULT
		KeyUsage: ENCRYPT_DECRYPT
		Description: Symmetric Amazon KMS Customer Master Key
		EnableKeyRotation: true
		KeyPolicy:
			Version: '2012-10-17'
			Statement:
			- Sid: Enable IAM User Permissions
				Effect: Allow
				Principal:
				AWS: arn:aws:iam::123456789012:root
				Action: kms:*
				Resource: '*'
			- Sid: Allow access for Key Administrators
				Effect: Allow
				Principal:
				AWS: arn:aws:iam::123456789012:user/kms-key-admin
				Action:
				- kms:Create*
				- kms:Describe*
				- kms:Enable*
				- kms:List*
				- kms:Put*
				- kms:Update*
				- kms:Revoke*
				- kms:Disable*
				- kms:Get*
				- kms:Delete*
				- kms:TagResource
				- kms:UntagResource
				- kms:ScheduleKeyDeletion
				- kms:CancelKeyDeletion
				Resource: '*'
			- Sid: Allow use of the key
				Effect: Allow
				Principal:
				AWS:
					- arn:aws:iam::123456789012:user/cloud-resource-manager
				Action:
				- kms:Encrypt
				- kms:Decrypt
				- kms:ReEncrypt*
				- kms:GenerateDataKey*
				- kms:DescribeKey
				Resource: '*'
			- Sid: Allow attachment of persistent resources
				Effect: Allow
				Principal:
				AWS:
					- arn:aws:iam::123456789012:user/cloud-resource-manager
				Action:
				- kms:CreateGrant
				- kms:ListGrants
				- kms:RevokeGrant
				Resource: '*'
				Condition:
				Bool:
					kms:GrantIsForAWSResource: 'true'
	KMSKEYAlias:
		Type: AWS::KMS::Alias
		Properties:
		AliasName: alias/DocDBDataCMK
		TargetKeyId: !Ref 'KMSKEY'
	DocumentDBCluster:
		Type: AWS::DocDB::DBCluster
		Properties:
		DBClusterIdentifier: cc-prod-docdb-cluster
		DBClusterParameterGroupName: default.docdb3.6
		DBSubnetGroupName: default
		Port: '27017'
		MasterUsername: '[docdb-master-username]'
		MasterUserPassword: '[docdb-master-password]'
		PreferredBackupWindow: '07:30-08:30'
		PreferredMaintenanceWindow: sat:04:00-sat:05:00
		SnapshotIdentifier: cc-prod-cluster-snapshot
		BackupRetentionPeriod: 7
		StorageEncrypted: true
		KmsKeyId: !Ref 'KMSKEY'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0" 
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_kms_key" "kms-key" {
	is_enabled               = true
	customer_master_key_spec = "SYMMETRIC_DEFAULT"
	key_usage                = "ENCRYPT_DECRYPT"
	description              = "KMS Customer Master Key (CMK)"
	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Sid": "Enable IAM User Permissions",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:root"
				},
				"Action": "kms:*",
				"Resource": "*"
			},
			{
				"Sid": "Allow access for Key Administrators",
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
				},
				"Action": [
					"kms:Create*",
					"kms:Describe*",
					"kms:Enable*",
					"kms:List*",
					"kms:Put*",
					"kms:Update*",
					"kms:Revoke*",
					"kms:Disable*",
					"kms:Get*",
					"kms:Delete*",
					"kms:TagResource",
					"kms:UntagResource",
					"kms:ScheduleKeyDeletion",
					"kms:CancelKeyDeletion"
				],
				"Resource": "*"
			},
			{
				"Sid": "Allow use of the key",
				"Effect": "Allow",
				"Principal": {
					"AWS": [
						"arn:aws:iam::123456789012:user/cloud-resource-manager"
					]
				},
				"Action": [
					"kms:Encrypt",
					"kms:Decrypt",
					"kms:ReEncrypt*",
					"kms:GenerateDataKey*",
					"kms:DescribeKey"
				],
				"Resource": "*"
			},
			{
				"Sid": "Allow attachment of persistent resources",
				"Effect": "Allow",
				"Principal": {
					"AWS": [
						"arn:aws:iam::123456789012:user/cloud-resource-manager"
					]
				},
				"Action": [
					"kms:CreateGrant",
					"kms:ListGrants",
					"kms:RevokeGrant"
				],
				"Resource": "*",
				"Condition": {
					"Bool": {
						"kms:GrantIsForAWSResource": "true"
					}
				}
			}
		]
	}
	EOF
}

resource "aws_kms_alias" "kms-key-alias" {
	target_key_id = aws_kms_key.kms-key.key_id
	name          = "alias/DocDBDataCMK"
}

resource "aws_docdb_cluster" "documentdb-cluster" {
	cluster_identifier              = "cc-prod-docdb-cluster"
	engine                          = "docdb"
	db_cluster_parameter_group_name = "default.docdb3.6"
	db_subnet_group_name            = "default"
	port                            = 27017
	master_username                 = "[docdb-master-username]"
	master_password                 = "[docdb-master-password]"
	backup_retention_period         = 7
	preferred_backup_window         = "07:30-08:30"
	preferred_maintenance_window    = "sat:04:00-sat:05:00"
	storage_encrypted               = true
	kms_key_id                      = aws_kms_key.kms-key.arn
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

03 In the main navigation panel, under Key Management Service (KMS), select Customer managed keys.

04 Choose the Create Key button from the console top menu to initiate the CMK setup process.

05 For Step 1 Configure key, perform the following actions:

  1. Choose Symmetric from the Key type section. A symmetric key is a single encryption key that can be used for both encrypt and decrypt operations.
  2. Under Advanced options, for Key material origin, select KMS as the source of the key material within the CMK.
  3. Under Advanced options, for Regionality, select whether to allow the new key to be replicated into other AWS regions.
  4. Choose Next to continue.

06 For Step 2 Add labels, type a unique name (alias) for your new managed key in the Alias box and provide a short description for the key in Description – _optiona_lbox. (Optional) Use the Add tag button to create tags in order categorize and identify your CMK. Choose Nextto continue the setup process.

07 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK from the Key administrators section. You may need to add additional permissions for the users or roles to administer the key from the AWS console. For Key deletion, select Allow key administrators to delete this key. Choose Nextto continue.

08 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new Customer Master Key for cryptographic operations. (Optional) In the Other AWS accounts section, choose Add another AWS account and enter an external AWS account ID in order to specify the external AWS account that can use the new key to encrypt and decrypt your Amazon DocumentDB data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Choose Next to continue.

09 For Step 5 Review, review the policy available in the Key policy section, then choose Finish to create your new Customer Master Key (CMK). Once the key is successfully created, the Amazon KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".

10 Navigate to Amazon DocumentDB console at https://console.aws.amazon.com/docdb.

11 In the main navigation panel, under Amazon DocumentDB, choose Clusters.

12 Select the database cluster that you want to re-create, choose Actions, and select Take snapshot.

13 For Create cluster snapshot, provide a unique name for your cluster snapshot in the Snapshot identifier box, then choose Create to take the cluster snapshot.

14 Select the newly created DocumentDB cluster snapshot, choose Actions, and select Restore.

15 On the Restore snapshot setup page, perform the following operations:

  1. Choose Show advanced settings, select Enable encryption for Encryption-at-rest, and choose your new KMS Customer Master Key (CMK) from the Master key dropdown list.
  2. Configure all the required cluster settings based on your application requirements, then choose Restore cluster to deploy your new Amazon DocumentDB database cluster.

16 (Optional) To delete the source DocumentDB database cluster in order to prevent additional charges on your AWS bill, perform the following actions:

  1. Select the unneeded database cluster that you want to delete, choose Actions, and select Delete.
  2. In the confirmation window, choose Yes for Create final cluster snapshot?, provide a name for the cluster snapshot in the Final snapshot name box, type delete entire cluster into the required field to confirm the resource deletion, then choose Delete to remove the database cluster from your AWS account.

17 Repeat steps no. 12 – 16 for each DocumentDB database cluster that you want to encrypt with a Customer Master Key, available within the current AWS region.

18 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Define the policy that enables the selected IAM users and/or roles to manage your new Customer Managed Key (CMK), and to encrypt/decrypt your DocumentDB cluster data using the KMS API. Create a new policy document (JSON format), name the file docdb-data-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
	"Id": "protected-cmk-policy",
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Enable IAM User Permissions",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:root"
			},
			"Action": "kms:*",
			"Resource": "*"
		},
		{
			"Sid": "Allow access for Key Administrators",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
			},
			"Action": [
				"kms:Create*",
				"kms:Describe*",
				"kms:Enable*",
				"kms:List*",
				"kms:Put*",
				"kms:Update*",
				"kms:Revoke*",
				"kms:Disable*",
				"kms:Get*",
				"kms:Delete*",
				"kms:TagResource",
				"kms:UntagResource",
				"kms:ScheduleKeyDeletion",
				"kms:CancelKeyDeletion"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow use of the key",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
			},
			"Action": [
				"kms:Encrypt",
				"kms:Decrypt",
				"kms:ReEncrypt*",
				"kms:GenerateDataKey*",
				"kms:DescribeKey"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow attachment of persistent resources",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
			},
			"Action": [
				"kms:CreateGrant",
				"kms:ListGrants",
				"kms:RevokeGrant"
			],
			"Resource": "*",
			"Condition": {
				"Bool": {
					"kms:GrantIsForAWSResource": "true"
				}
			}
		}
	]
}

02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e.docdb-data-cmk-policy.json) as value for the --policy parameter, to create your new, customer-managed Customer Managed Key (CMK):

aws kms create-key
  --region us-east-1
  --description 'Customer Managed Key for DocumentDB Data Encryption'
  --policy file://docdb-data-cmk-policy.json
  --query 'KeyMetadata.Arn'

03 The command output should return the ARN of the new Customer Master Key (CMK):

"arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):

aws kms create-alias
  --region us-east-1
  --alias-name alias/DocDBDataCMK
  --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234

05 Runcreate-db-cluster-snapshot command (OSX/Linux/UNIX) to take a snapshot of the source Amazon DocumentDB database cluster:

aws docdb create-db-cluster-snapshot
  --region us-east-1
  --db-cluster-snapshot-identifier cc-prod-cluster-snapshot
  --db-cluster-identifier cc-prod-docdb-cluster

06 The command output should return the new DocumentDB cluster snapshot metadata:

{
	"DBClusterSnapshot": {
		"AvailabilityZones": [
			"us-east-1a",
			"us-east-1b",
			"us-east-1c"
		],
		"DBClusterSnapshotIdentifier": "cc-prod-cluster-snapshot",
		"DBClusterIdentifier": "cc-prod-docdb-cluster",
		"SnapshotCreateTime": "2022-10-19T10:04:17.179000+00:00",
		"Engine": "docdb",
		"Status": "creating",
		"Port": 0,
		"ClusterCreateTime": "2022-10-19T09:25:41.126000+00:00",
		"MasterUsername": "awsmanager",
		"EngineVersion": "3.6.0",
		"SnapshotType": "manual",
		"PercentProgress": 0,
		"StorageEncrypted": true,
		"DBClusterSnapshotArn": "arn:aws:rds:us-east-1:123456789012:cluster-snapshot:cc-prod-cluster-snapshot"
	}
}

07 Run restore-db-cluster-from-snapshot command (OSX/Linux/UNIX) to launch a new Amazon DocumentDB database cluster from the snapshot created at the previous step. To enable encryption at rest with customer-provided Customer Managed Keys (CMKs), specify the ARN of the CMK created earlier in the Remediation process as the value for the --kms-key-id parameter:

aws docdb restore-db-cluster-from-snapshot
  --region us-east-1
  --db-cluster-identifier cc-prod-encrypted-cluster
  --snapshot-identifier cc-prod-cluster-snapshot
  --engine docdb
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234

08 The command output should return the configuration information available for the new Amazon DocumentDB cluster:

{
	"DBCluster": {
		"AvailabilityZones": [
			"us-east-1a",
			"us-east-1b",
			"us-east-1c"
		],
		"BackupRetentionPeriod": 7,
		"DBClusterIdentifier": "cc-prod-encrypted-cluster",
		"DBClusterParameterGroup": "default.docdb3.6",
		"DBSubnetGroup": "default",
		"Status": "creating",
		"Endpoint": "cc-prod-encrypted-cluster.cluster-abcdabcdabcd.us-east-1.docdb.amazonaws.com",
		"ReaderEndpoint": "cc-prod-encrypted-cluster.cluster-ro-abcdabcdabcd.us-east-1.docdb.amazonaws.com",
		"MultiAZ": false,
		"Engine": "docdb",
		"EngineVersion": "3.6.0",
		"Port": 27017,
		"MasterUsername": "awsmanager",
		"PreferredBackupWindow": "00:00-00:30",
		"PreferredMaintenanceWindow": "thu:10:00-thu:10:30",
		"ReadReplicaIdentifiers": [],
		"DBClusterMembers": [],
		"VpcSecurityGroups": [
			{
				"VpcSecurityGroupId": "sg-0abcd1234abcd1234",
				"Status": "active"
			}
		],
		"StorageEncrypted": true,
		"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234",
		"DBClusterArn": "arn:aws:rds:us-east-1:123456789012:cluster:cc-prod-encrypted-cluster",
		"AssociatedRoles": [],
		"ClusterCreateTime": "2022-10-19T10:13:59.266000+00:00",
		"DeletionProtection": false
	}
}

09 Run create-db-instance command (OSX/Linux/UNIX) to add a new database instance to the newly created Amazon DocumentDB cluster. Run this command for each instance that you want to add to your database cluster. CMK-based encryption will be applied to all the database instances associated with the specified DocumentDB cluster:

aws docdb create-db-instance
  --region us-east-1
  --db-instance-identifier cc-prod-encrypted-cluster-001
  --db-instance-class db.r4.large
  --engine docdb
  --availability-zone us-east-1a
  --db-cluster-identifier cc-prod-encrypted-cluster

10 The command output should return the configuration information available for the new database instance:

{
	"DBInstance": {
		"Engine": "docdb",
		"AvailabilityZone": "us-east-1a",
		"DBInstanceStatus": "creating",
		"PubliclyAccessible": false,
		"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-1234abcd1234",
		"StorageEncrypted": true,
		"AutoMinorVersionUpgrade": true,


		...


		"PreferredMaintenanceWindow": "sun:04:35-sun:05:05",
		"EngineVersion": "3.6.0",
		"DBClusterIdentifier": "cc-prod-encrypted-cluster",
		"DBInstanceClass": "db.r4.large",
		"BackupRetentionPeriod": 7,
		"DBInstanceIdentifier": "cc-prod-encrypted-cluster-001",
		"PendingModifiedValues": {}
	}
}

11 (Optional) Run delete-db-cluster command (OSX/Linux/UNIX) to terminate the source (unneeded) Amazon DocumentDB database cluster in order to stop adding charges for the resource. Use the --no-skip-final-snapshot parameter to create a final snapshot before the cluster is deleted:

aws docdb delete-db-cluster
  --region us-east-1
  --db-cluster-identifier cc-prod-docdb-cluster
  --no-skip-final-snapshot

12 The output should return the delete-db-cluster command request metadata:

{
	"DBCluster": {
		"MasterUsername": "ccdocdbuser",
		"Status": "deleting",
		"LatestRestorableTime": "2022-10-19T10:27:38.543Z",
		"PreferredBackupWindow": "00:00-00:30",
		"DBSubnetGroup": "default",
		"BackupRetentionPeriod": 7,

		...

		"PreferredMaintenanceWindow": "sun:10:04-sun:10:34",
		"Engine": "docdb",
		"ClusterCreateTime": "2022-10-19T10:14:43.111Z",
		"EngineVersion": "3.6.0",
		"DBClusterIdentifier": "cc-prod-docdb-cluster"
	}
}

13 Repeat steps no. 5 – 12 for each DocumentDB database cluster that you want to encrypt with a Customer Master Key, available in the selected AWS region.

14 Change the AWS cloud region by updating the --regioncommand parameter value and repeat the Remediation process for other regions.

References

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

DocumentDB Clusters Encrypted with KMS CMKs

Risk Level: High