Ensure DocDB Logging is enabled

Ensure that DocDB Logging is enabled on your DB. When enabled it provides a variety of Amazon CloudWatch metrics that you can monitor to determine the health and performance of your Amazon DocumentDB clusters and instances.With Audit logs you can audit events that were performed in your cluster like events of successful and failed authentication attempts, dropping a collection in a database, or creating an index.You can use the profiler to log the execution time and details of operations that were performed on your cluster. Profiler is useful for monitoring the slowest operations on your cluster to help you improve individual query performance and overall cluster performance

Suggest Edits

Risk Level: Low
Cloud Entity: AWS DocDB DBCluster
CloudGuard Rule ID: D9.CFT.LOG.11
Covered by Spectral: Yes
Category: Database

GSL LOGIC

AWS_DocDB_DBCluster should have EnableCloudwatchLogsExports contain ['audit'] and EnableCloudwatchLogsExports contain [ 'profiler']

REMEDIATION

From CFT
Supply AWS::DocDB::DBCluster::EnableCloudwatchLogsExports with ["audit","profiler"]
See below example;

Resources:
myDBInstance:
Type: "AWS::DocDB::DBCluster"
Properties:
...
EnableCloudwatchLogsExports : ["audit","profiler"]
...

References

  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbcluster.html#cfn-docdb-dbcluster-enablecloudwatchlogsexports
  2. https://docs.aws.amazon.com/documentdb/latest/developerguide/event-auditing.html#event-auditing-enabling-auditing
  3. https://docs.aws.amazon.com/documentdb/latest/developerguide/profiling.html#profiling.enable-profiling

AWS DocDB DBCluster

The AWS::DocDB::DBCluster Amazon DocumentDB (with MongoDB compatibility) resource describes a DBCluster. Amazon DocumentDB is a fully managed, MongoDB-compatible document database engine.

Compliance Frameworks

  • AWS CloudFormation ruleset

Updated 7 months ago