Guides
  1. cft policies
  2. AWS DocDB DBCluster

Ensure DocDB Logging is enabled

Risk Level: Low
Cloud Entity: AWS DocDB DBCluster
CloudGuard Rule ID: D9.CFT.LOG.11
Covered by Spectral: Yes
Category: Database

GSL LOGIC

AWS_DocDB_DBCluster should have EnableCloudwatchLogsExports contain ['audit'] and EnableCloudwatchLogsExports contain [ 'profiler']

REMEDIATION

From CFT
Supply AWS::DocDB::DBCluster::EnableCloudwatchLogsExports with ["audit","profiler"]
See below example;

Resources:
myDBInstance:
Type: "AWS::DocDB::DBCluster"
Properties:
...
EnableCloudwatchLogsExports : ["audit","profiler"]
...

References

  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbcluster.html#cfn-docdb-dbcluster-enablecloudwatchlogsexports
  2. https://docs.aws.amazon.com/documentdb/latest/developerguide/event-auditing.html#event-auditing-enabling-auditing
  3. https://docs.aws.amazon.com/documentdb/latest/developerguide/profiling.html#profiling.enable-profiling

AWS DocDB DBCluster

The AWS::DocDB::DBCluster Amazon DocumentDB (with MongoDB compatibility) resource describes a DBCluster. Amazon DocumentDB is a fully managed, MongoDB-compatible document database engine.

Compliance Frameworks

  • AWS CloudFormation ruleset

Updated 7 months ago