Ensure DocDB has audit logs enabled

Ensure that audit logging is enabled on your Amazon DocumentDB.When Enabled, it records Data Definition Language (DDL), authentication, authorization, and user management events to Amazon CloudWatch Logs. Also, Amazon DocumentDB exports your cluster's auditing records (JSON documents) to Amazon CloudWatch Logs which you can use to analyze, monitor, and archive your Amazon DocumentDB auditing events.Importantly, You can audit logged events of successful and failed authentication attempts, dropping a collection in a database, or creating an index.

Risk Level: Low
Cloud Entity: AWS DocDB DBCluster
CloudGuard Rule ID: D9.CFT.LOG.10
Covered by Spectral: No
Category: Database

GSL LOGIC

AWS_DocDB_DBCluster should have EnableCloudwatchLogsExports contain-any['audit']

REMEDIATION

From CFT
Supply AWS::DocDB::DBCluster::EnableCloudwatchLogsExports with ["audit"]
See below example;

Resources:
myDBInstance:
Type: "AWS::DocDB::DBCluster"
Properties:
...
EnableCloudwatchLogsExports : ["audit"]
...

References

  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbcluster.html#cfn-docdb-dbcluster-enablecloudwatchlogsexports
  2. https://docs.aws.amazon.com/documentdb/latest/developerguide/event-auditing.html#event-auditing-enabling-auditing

AWS DocDB DBCluster

The AWS::DocDB::DBCluster Amazon DocumentDB (with MongoDB compatibility) resource describes a DBCluster. Amazon DocumentDB is a fully managed, MongoDB-compatible document database engine.

Compliance Frameworks

  • AWS CloudFormation ruleset