DocumentDB cluster encryption should not be disabled
- GG_ID: GG_IAC_0036
- Severity: HIGH
- Complexity: LOW
- Categories: DATA, PERMISSION
- Providers: AWS
- Potential data exposure: True
- Visible in logs: False
- User interaction required: False
- Privileges required: True
#
DescriptionAmazon DocumentDB is a database service that is purpose-built for JSON data management at scale, fully managed and integrated with AWS. The data should always be encrypted at rest to protect the data if accesses are compromised.
#
ImpactNot encrypting data at rest could lead to data leak in case of attack.
#
Remediation guidelinesSince it is not possible to encrypt an existing unencrypted DocumentDB cluster, you will have to perform manual steps:
- Create an unencrypted snapshot of the cluster.
- Create an encrypted cluster from the unencrypted snapshot by specifying the AWS KMS key.
- Delete all the instances the unencrypted cluster has and delete it after on the AWS Management Console.