DocumentDB cluster encryption should not be disabled

• GG_ID: GG_IAC_0036
• Severity: HIGH
• Complexity: LOW
• Categories: DATA, PERMISSION
• Providers: AWS
• Potential data exposure: True
• Visible in logs: False
• User interaction required: False
• Privileges required: True

Description

Amazon DocumentDB is a database service that is purpose-built for JSON data management at scale, fully managed and integrated with AWS. The data should always be encrypted at rest to protect the data if accesses are compromised.

Impact

Not encrypting data at rest could lead to data leak in case of attack.

Remediation guidelines

Since it is not possible to encrypt an existing unencrypted DocumentDB cluster, you will have to perform manual steps:

1. Create an unencrypted snapshot of the cluster.
2. Create an encrypted cluster from the unencrypted snapshot by specifying the AWS KMS key.
3. Delete all the instances the unencrypted cluster has and delete it after on the AWS Management Console.

External documentation

• DocumentDB Data encryption at rest
• Restoring from a Cluster Snapshot