DocumentDB is not encrypted at rest
Description
The encryption feature available for Amazon DocumentDB clusters provides an additional layer of data protection by helping secure your data against unauthorized access to the underlying storage.
Amazon DocumentDB allows you to encrypt your clusters using keys managed through the AWS Key Management Service (KMS). On a cluster running with Amazon DocumentDB encryption, data stored at rest in the underlying storage is encrypted, as are its automated backups, snapshots, and replicas in the same cluster.
Fix - Runtime
Procedure
- Create an Amazon DocumentDB cluster.
- Under the Authentication section, choose Show advanced settings.
- Scroll down to the Encryption-at-rest section.
- Choose the option that you want for encryption at rest. Whichever option you choose, you can't change it after the cluster is created.
To encrypt data at rest in this cluster, choose Enable encryption.
CLI Command
aws docdb create-db-cluster \
--db-cluster-identifier sample-cluster \
--port 27017 \
--engine docdb \
--master-username yourMasterUsername \
--master-user-password yourMasterPassword \
--storage-encrypted
Fix - Buildtime
Terraform
- Resource: aws_docdb_cluster
- Arguments: storage_encrypted - Specifies whether the DB cluster is encrypted.
resource "aws_docdb_cluster" "example" {
...
cluster_identifier = "docdb-cluster-demo"
+ storage_encrypted = true
...
}