Ensure that your Amazon DocumentDB clusters have Log Exports feature enabled in order to publish audit logs directly to AWS CloudWatch Logs. The events recorded by the AWS DocumentDB audit logs include successful and failed authentication attempts, creating indexes or dropping a collection in a database within the DocumentDB cluster.
This rule can help you with the following compliance standards:
- APRA
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
efficiency
excellence
By default, auditing is disabled on all Amazon DocumentDB clusters. Once the Log Exports feature is enabled, AWS DocumentDB (with MongoDB compatibility) starts sending Data Definition Language (DDL), authentication, authorization and user management events to AWS CloudWatch Logs, a service that monitors, stores and accesses your log files from a variety of sources within your AWS account. This enables you to analyze, monitor and archive your Amazon DocumentDB auditing events for security and compliance requirements.
Audit
To determine if your AWS DocumentDB clusters are using Log Exports feature to publish audit logs to Amazon CloudWatch, perform the following actions:
Note: Verifying DocumentDB Log Exports feature status using the AWS Management Console is not currently supported.Remediation / Resolution
To enable Log Exports feature for your existing DocumentDB clusters in order to publish audit logs to Amazon CloudWatch, perform the following actions:
References
- AWS Documentation
- Amazon DocumentDB (with MongoDB compatibility) FAQs
- Monitoring Amazon DocumentDB
- Auditing Amazon DocumentDB Events
- Modifying an Amazon DocumentDB Cluster
- AWS Command Line Interface (CLI) Documentation
- docdb
- describe-db-clusters
- modify-db-cluster
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Log Exports for DocumentDB
Risk level: Low