DocumentDB cluster encryption should not be disabled
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | HIGH | AWS | DATA, PERMISSION |
#
DescriptionAmazon DocumentDB is a database service that is purpose-built for JSON data management at scale, fully managed and integrated with AWS. The data should always be encrypted at rest to protect the data if accesses are compromised.
#
ImpactPotential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | False | False | True |
Not encrypting data at rest could lead to data leak in case of attack.
#
Remediation guidelinesSince it is not possible to encrypt an existing unencrypted DocumentDB cluster, you will have to perform manual steps:
- Create an unencrypted snapshot of the cluster.
- Create an encrypted cluster from the unencrypted snapshot by specifying the AWS KMS key.
- Delete all the instances the unencrypted cluster has and delete it after on the AWS Management Console.