Ensure DocDB is encrypted at rest

The encryption feature available for Amazon DocumentDB clusters provides an additional layer of data protection by helping secure your data against unauthorized access to the underlying storage. Amazon DocumentDB allows you to encrypt your clusters using keys managed through the AWS Key Management Service (KMS). On a cluster running with Amazon DocumentDB encryption, data stored at rest in the underlying storage is encrypted, as are its automated backups, snapshots, and replicas in the same cluster

Risk Level: High
Cloud Entity: AWS DocDB DBCluster
CloudGuard Rule ID: D9.CFT.CRY.20
Covered by Spectral: No
Category: Database


AWS_DocDB_DBCluster should have StorageEncrypted=true


From CFT
Supply AWS::DocDB::DBCluster::StorageEncrypted with Boolean value 'true'
See below example;

Type: "AWS::DocDB::DBCluster"
DBClusterIdentifier : "sample-cluster"
StorageEncrypted : true


  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbcluster.html#cfn-docdb-dbcluster-storageencrypted

AWS DocDB DBCluster

The AWS::DocDB::DBCluster Amazon DocumentDB (with MongoDB compatibility) resource describes a DBCluster. Amazon DocumentDB is a fully managed, MongoDB-compatible document database engine.

Compliance Frameworks

  • AWS CloudFormation ruleset