Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of DocumentDB clusters not being encrypted in AWS RDS using the AWS Management Console, you can follow these step-by-step instructions:
- Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and log in to your AWS account.
- Navigate to Amazon DocumentDB: In the AWS Management Console, navigate to the Amazon DocumentDB service by either searching for “DocumentDB” in the search bar or locating it under the “Database” section.
- Select the DocumentDB Cluster: From the DocumentDB dashboard, select the DocumentDB cluster that you want to encrypt.
- Enable Encryption: Click on the selected DocumentDB cluster, and then click on the “Modify” button to make changes to the cluster configuration.
- Enable Encryption at Rest: In the cluster configuration settings, scroll down to the “Encryption” section. Here, you will find an option to enable encryption at rest. Select the option to enable encryption.
- Choose the Encryption Key: Choose the AWS Key Management Service (KMS) key that you want to use for encrypting the DocumentDB cluster. You can either use the default AWS-managed key or choose a custom KMS key.
- Save Changes: After selecting the encryption key, scroll down to the bottom of the configuration page and click on the “Apply immediately” checkbox if you want the changes to take effect immediately. Then click on the “Modify cluster” button to save the changes.
- Monitor Encryption Status: Once the modification is initiated, monitor the status of the encryption process in the DocumentDB cluster dashboard. The encryption process may take some time to complete depending on the size of the cluster.
- Verification: After the encryption process is completed, verify that the DocumentDB cluster is now encrypted by checking the cluster details and ensuring that the encryption status is showing as “Encrypted”.
Using CLI
Using CLI
To remediate the misconfiguration of DocumentDB clusters not being encrypted in AWS RDS using AWS CLI, follow these steps:Step 1: Enable encryption for the DocumentDB cluster using the AWS CLI command below:Replace Step 3: Once you have confirmed that the encryption is enabled for the DocumentDB cluster, ensure that all future DocumentDB clusters are also encrypted by default. You can do this by modifying the RDS cluster parameter group as follows:Replace
your-cluster-id with the actual identifier of your DocumentDB cluster.Step 2: Verify the encryption status of the DocumentDB cluster to ensure that it is now encrypted. You can do this by describing the cluster using the following AWS CLI command:your-parameter-group-name with the actual name of your RDS cluster parameter group.By following these steps, you can successfully remediate the misconfiguration of DocumentDB clusters not being encrypted in AWS RDS using the AWS CLI.Using Python
Using Python
To remediate the misconfiguration of DocumentDB clusters not being encrypted in AWS RDS using Python, you can follow these steps:
-
Install the AWS SDK for Python (Boto3) if you haven’t already. You can install it using pip:
- Write a Python script to enable encryption for your DocumentDB clusters. Here’s an example script that uses Boto3 to enable encryption for all DocumentDB clusters in your AWS account:
- Run the Python script in your local environment or AWS Lambda function with appropriate IAM permissions to modify DocumentDB clusters.
- Monitor the script output to ensure that encryption is enabled for all DocumentDB clusters. You can also verify this in the AWS Management Console by checking the encryption status of each cluster.