DocumentDB cluster encryption should not be disabled
| Severity | Exploitability | Providers | Categories |
|---|---|---|---|
| HIGH | HIGH | AWS | DATA, PERMISSION |
Description#
Amazon DocumentDB is a database service that is purpose-built for JSON data management at scale, fully managed and integrated with AWS. The data should always be encrypted at rest to protect the data if accesses are compromised.
Impact#
| Potential data exposure | Visible in logs | User interaction required | Privileges required |
|---|---|---|---|
| True | False | False | True |
Not encrypting data at rest could lead to data leak in case of attack.
Remediation guidelines#
Since it is not possible to encrypt an existing unencrypted DocumentDB cluster, you will have to perform manual steps:
- Create an unencrypted snapshot of the cluster.
- Create an encrypted cluster from the unencrypted snapshot by specifying the AWS KMS key.
- Delete all the instances the unencrypted cluster has and delete it after on the AWS Management Console.