Logo of Trend Micro

Log Exports for DocumentDB

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: DocumentDB-004

Ensure that your Amazon DocumentDB clusters have Log Exports feature enabled in order to publish audit logs directly to AWS CloudWatch Logs. The events recorded by the AWS DocumentDB audit logs include successful and failed authentication attempts, creating indexes or dropping a collection in a database within the DocumentDB cluster.

This rule can help you with the following compliance standards:

  • APRA

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security
Reliability
Performance
efficiency
Operational
excellence

By default, auditing is disabled on all Amazon DocumentDB clusters. Once the Log Exports feature is enabled, AWS DocumentDB (with MongoDB compatibility) starts sending Data Definition Language (DDL), authentication, authorization and user management events to AWS CloudWatch Logs, a service that monitors, stores and accesses your log files from a variety of sources within your AWS account. This enables you to analyze, monitor and archive your Amazon DocumentDB auditing events for security and compliance requirements.

Audit

To determine if your AWS DocumentDB clusters are using Log Exports feature to publish audit logs to Amazon CloudWatch, perform the following actions:

Note: Verifying DocumentDB Log Exports feature status using the AWS Management Console is not currently supported.

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) to list the names of all Amazon DocumentDB clusters available in the selected AWS region: 

aws docdb describe-db-clusters
	--region us-east-1
	--output table
	--query 'DBClusters[*].DBClusterIdentifier'

02 The command output should return a table with the requested database cluster names: 

------------------------
|  DescribeDBClusters  |
+----------------------+
|  cc-docdb-mongo-db   |
|  cc-docdb-stage-db   |
+----------------------+

03 Execute describe-db-clusters command (OSX/Linux/UNIX) using the name of the DocumentDB cluster that you want to examine as identifier and custom query filters to get the list of log types that the selected database cluster is configured to export to Amazon CloudWatch Logs: 

aws docdb describe-db-clusters
	--region us-east-1
	--db-cluster-identifier cc-docdb-mongo-db
	--query 'DBClusters[*].EnabledCloudwatchLogsExports'

04 The command output should return the requested configuration information (i.e. the type of log enabled, in this case the audit log): 

[]

If the describe-db-clusters command output returns an empty array, as shown in the example above, the Log Exports feature is not enabled for the selected Amazon DocumentDB database cluster, therefore the audit logging data is not published to AWS CloudWatch Logs.

05 Repeat step no. 3 and 4 for each AWS DocumentDB cluster available in the selected region to determine the Log Exports feature status.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Log Exports feature for your existing DocumentDB clusters in order to publish audit logs to Amazon CloudWatch, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to DocumentDB dashboard at https://console.aws.amazon.com/docdb/.

03 In the left navigation panel, select Clusters.

04 Select the DocumentDB database cluster that you want to reconfigure.

05 Click the Actions button from the dashboard top menu and select Modify option.

06 On the Modify cluster: <cluster-name> page, within Log Exports section, select Enabled next to Export auditing logs to Amazon CloudWatch to switch on the Log Exports feature for the selected database cluster. Leave the rest of the settings unchanged, then click Continue to continue the update process.

07 In the Summary of modifications section, review the configuration changes that you want to apply to your DocumentDB cluster.

08 Inside Scheduling of modifications section, perform one of the following actions based on your application availability requirements:

  1. Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
  2. Select Apply immediately to apply the changes right away. With this option any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window configuration set for the selected database cluster. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your application.

09 Click Modify cluster to apply the configuration changes. The update process should take just a few minutes. You can use again the DocumentDB cluster only when its status becomes available.

10 Repeat steps no. 4 – 9 to enable the Log Exports feature for other Amazon DocumentDB database clusters available in the current region.

11 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run modify-db-cluster command (OSX/Linux/UNIX) to enable the Log Exports feature for the selected Amazon DocumentDB cluster (see Audit section part II to identify the right resource). The command request makes use of --apply-immediately parameter to apply the configuration changes asynchronously, as soon as possible. If you instead use --no-apply-immediately parameter for the modify-db-cluster command request, the DocumentDB service will apply your changes during the next maintenance window: 

aws docdb modify-db-cluster
	--region us-east-1
	--db-cluster-identifier cc-docdb-mongo-db
	--cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'
	--apply-immediately

02 The command output should return the metadata for the modified DocumentDB database cluster: 

{
    "DBCluster": {
        "HostedZoneId": "AAAABBBBBCCCC",
        "Status": "available",
        "MultiAZ": true,
        "LatestRestorableTime": "2019-03-11T11:19:02.976Z",
        "PreferredBackupWindow": "00:00-00:30",
        "DBSubnetGroup": "default",
        "BackupRetentionPeriod": 7,
        "PreferredMaintenanceWindow": "fri:05:57-fri:06:27",
        "Engine": "docdb",
        "EarliestRestorableTime": "2019-03-11T10:34:10.399Z",

        ...

        "ClusterCreateTime": "2019-03-04T10:33:31.582Z",
        "EngineVersion": "3.6.0",
        "DBClusterIdentifier": "cc-docdb-mongo-db",
        "DBClusterArn": "arn:aws:rds:us-east-1:123456789012:cluster:cc-docdb-mongo-db",
        "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd",
        "StorageEncrypted": true,
        "DBClusterParameterGroup": "default.docdb3.6",
        "AvailabilityZones": [
            "us-east-1c",
            "us-east-1b",
            "us-east-1e"
        ],
        "Port": 27017
    }
}

03 Repeat step no. 1 and 2 to enable Log Exports for other Amazon DocumentDB database clusters available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.

References

Related DocumentDB rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Log Exports for DocumentDB

Risk level: Low