AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
DocumentDB Clusters Should Be Encrypted
More Info:
This rule checks whether storage encryption is enabled for your Amazon DocumentDB (with MongoDB compatibility) clusters. Enabling storage encryption helps protect your data at rest. The rule is marked as non-compliant if storage encryption is not enabled.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2,NIST,GDPR,ISO27001,HIPAA,HITRUST,NISTCSF,PCIDSS,SEBI
Triage and Remediation
Remediation
To remediate the misconfiguration of DocumentDB clusters not being encrypted in AWS RDS using the AWS Management Console, you can follow these step-by-step instructions:
-
Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and log in to your AWS account.
-
Navigate to Amazon DocumentDB: In the AWS Management Console, navigate to the Amazon DocumentDB service by either searching for “DocumentDB” in the search bar or locating it under the “Database” section.
-
Select the DocumentDB Cluster: From the DocumentDB dashboard, select the DocumentDB cluster that you want to encrypt.
-
Enable Encryption: Click on the selected DocumentDB cluster, and then click on the “Modify” button to make changes to the cluster configuration.
-
Enable Encryption at Rest: In the cluster configuration settings, scroll down to the “Encryption” section. Here, you will find an option to enable encryption at rest. Select the option to enable encryption.
-
Choose the Encryption Key: Choose the AWS Key Management Service (KMS) key that you want to use for encrypting the DocumentDB cluster. You can either use the default AWS-managed key or choose a custom KMS key.
-
Save Changes: After selecting the encryption key, scroll down to the bottom of the configuration page and click on the “Apply immediately” checkbox if you want the changes to take effect immediately. Then click on the “Modify cluster” button to save the changes.
-
Monitor Encryption Status: Once the modification is initiated, monitor the status of the encryption process in the DocumentDB cluster dashboard. The encryption process may take some time to complete depending on the size of the cluster.
-
Verification: After the encryption process is completed, verify that the DocumentDB cluster is now encrypted by checking the cluster details and ensuring that the encryption status is showing as “Encrypted”.
By following these steps, you can successfully remediate the misconfiguration of DocumentDB clusters not being encrypted in AWS RDS using the AWS Management Console.
To remediate the misconfiguration of DocumentDB clusters not being encrypted in AWS RDS using AWS CLI, follow these steps:
Step 1: Enable encryption for the DocumentDB cluster using the AWS CLI command below:
aws rds modify-db-cluster --db-cluster-identifier your-cluster-id --storage-encrypted
Replace your-cluster-id with the actual identifier of your DocumentDB cluster.
Step 2: Verify the encryption status of the DocumentDB cluster to ensure that it is now encrypted. You can do this by describing the cluster using the following AWS CLI command:
aws rds describe-db-clusters --db-cluster-identifier your-cluster-id --query "DBClusters[*].StorageEncrypted"
Step 3: Once you have confirmed that the encryption is enabled for the DocumentDB cluster, ensure that all future DocumentDB clusters are also encrypted by default. You can do this by modifying the RDS cluster parameter group as follows:
aws rds modify-db-cluster-parameter-group --db-cluster-parameter-group-name your-parameter-group-name --parameters "ParameterName=aws_docdb_encryption_support,ParameterValue=true,ApplyMethod=immediate"
Replace your-parameter-group-name with the actual name of your RDS cluster parameter group.
By following these steps, you can successfully remediate the misconfiguration of DocumentDB clusters not being encrypted in AWS RDS using the AWS CLI.
To remediate the misconfiguration of DocumentDB clusters not being encrypted in AWS RDS using Python, you can follow these steps:
-
Install the AWS SDK for Python (Boto3) if you haven’t already. You can install it using pip:
pip install boto3 -
Write a Python script to enable encryption for your DocumentDB clusters. Here’s an example script that uses Boto3 to enable encryption for all DocumentDB clusters in your AWS account:
import boto3
# Initialize the DocumentDB client
client = boto3.client('docdb')
# Get a list of all DocumentDB clusters
response = client.describe_db_clusters()
# Iterate through each cluster and enable encryption
for cluster in response['DBClusters']:
cluster_identifier = cluster['DBClusterIdentifier']
# Enable encryption for the cluster
client.modify_db_cluster(
DBClusterIdentifier=cluster_identifier,
StorageEncrypted=True
)
print(f"Encryption enabled for DocumentDB cluster: {cluster_identifier}")
-
Run the Python script in your local environment or AWS Lambda function with appropriate IAM permissions to modify DocumentDB clusters.
-
Monitor the script output to ensure that encryption is enabled for all DocumentDB clusters. You can also verify this in the AWS Management Console by checking the encryption status of each cluster.
By following these steps, you can remediate the misconfiguration of DocumentDB clusters not being encrypted in AWS RDS using Python.