01 Run create-db-cluster-snapshot command (OSX/Linux/UNIX) to take a snapshot of the source (unencrypted) Amazon DocumentDB cluster (see Audit section part II to identify the right resource):
aws docdb create-db-cluster-snapshot
--region us-east-1
--db-cluster-snapshot-identifier cc-docdb-cluster-snapshot
--db-cluster-identifier cc-docdb-cluster
02 The command output should return the new DocumentDB cluster snapshot metadata:
{
"DBClusterSnapshot": {
"Engine": "docdb",
"SnapshotCreateTime": "2019-01-17T16:57:07.864Z",
"VpcId": "vpc-abcdabcd",
"DBClusterIdentifier": "cc-docdb-cluster",
"MasterUsername": "ccdocdbuser",
"Status": "creating",
...
"PercentProgress": 0,
"DBClusterSnapshotIdentifier": "cc-docdb-cluster-snapshot",
"ClusterCreateTime": "2019-01-17T16:36:23.433Z",
"StorageEncrypted": true,
"EngineVersion": "3.6.0",
"SnapshotType": "manual"
}
}
03 Run restore-db-cluster-from-snapshot command (OSX/Linux/UNIX) to launch a new Amazon DocumentDB cluster from the snapshot created at the previous step. To enable encryption at rest for the new DocumentDB cluster, specify the appropriate KMS key ARN as the value for the --kms-key-id parameter:
aws docdb restore-db-cluster-from-snapshot
--region us-east-1
--db-cluster-identifier cc-docdb-cluster-encrypted
--snapshot-identifier cc-docdb-cluster-snapshot
--engine docdb
--port 27017
--vpc-security-group-ids sg-abcdabcd
--availability-zones us-east-1a us-east-1b
--kms-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-1234abcd1234
04 The command output should return the new DocumentDB cluster metadata:
{
"DBCluster": {
"MasterUsername": "ccdocdbuser",
"HostedZoneId": "ABCDABCDABCDA",
"Status": "creating",
"MultiAZ": false,
"PreferredBackupWindow": "00:00-00:30",
"DBSubnetGroup": "default",
"BackupRetentionPeriod": 7,
"PreferredMaintenanceWindow": "sun:10:04-sun:10:34",
"Engine": "docdb",
...
"ClusterCreateTime": "2019-01-17T16:36:23.433Z",
"EngineVersion": "3.6.0",
"DBClusterIdentifier": "cc-docdb-cluster-encrypted",
"DBClusterMembers": [],
"Port": 27017,
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-1234abcd1234",
"StorageEncrypted": true,
"DBClusterParameterGroup": "default.docdb3.6",
"DBClusterArn": "arn:aws:rds:us-east-1:123456789012:cluster:cc-docdb-cluster-encrypted"
}
}
05 Run create-db-instance command (OSX/Linux/UNIX) to provision and add a new database instance to the recently created AWS DocumentDB cluster. Execute this command for each instance that you want to add to your cluster. All the database instances associated with the selected DocumentDB cluster will have encryption at rest enabled:
aws docdb create-db-instance
--region us-east-1
--db-instance-identifier cc-docdb-cluster-instance-1
--db-instance-class db.r4.large
--engine docdb
--availability-zone us-east-1a
--db-cluster-identifier cc-docdb-cluster-encrypted
06 The command output should return the metadata available for the new database instance:
{
"DBInstance": {
"Engine": "docdb",
"AvailabilityZone": "us-east-1a",
"DBInstanceStatus": "creating",
"PubliclyAccessible": false,
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-1234abcd1234",
"StorageEncrypted": true,
"AutoMinorVersionUpgrade": true,
...
"PreferredMaintenanceWindow": "sun:04:35-sun:05:05",
"EngineVersion": "3.6.0",
"DBClusterIdentifier": "cc-docdb-cluster-encrypted",
"DBInstanceClass": "db.r4.large",
"BackupRetentionPeriod": 5,
"DBInstanceIdentifier": "cc-docdb-cluster-instance-1",
"PendingModifiedValues": {}
}
}
07 Run delete-db-cluster command (OSX/Linux/UNIX) to terminate the source (unencrypted) Amazon DocumentDB cluster, in order to stop adding charges for the resource. Use --skip-final-snapshot or --no-skip-final-snapshot parameter to specify whether a final snapshot is created before the AWS DocumentDB cluster is deleted:
aws docdb delete-db-cluster
--region us-east-1
--db-cluster-identifier cc-docdb-cluster
--skip-final-snapshot
08 The command output should return the command request metadata:
{
"DBCluster": {
"MasterUsername": "ccdocdbuser",
"Status": "deleting",
"LatestRestorableTime": "2019-01-17T16:27:38.543Z",
"PreferredBackupWindow": "00:00-00:30",
"DBSubnetGroup": "default",
"BackupRetentionPeriod": 7,
...
"PreferredMaintenanceWindow": "sun:10:04-sun:10:34",
"Engine": "docdb",
"ClusterCreateTime": "2019-01-17T16:14:43.111Z",
"EngineVersion": "3.6.0",
"DBClusterIdentifier": "cc-docdb-cluster"
}
}
09 Repeat steps no. 1 – 8 for each Amazon DocumentDB cluster that you want to enable encryption, available within the selected AWS region.
10 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the entire process for other regions.