Ensure DocDB Logging is enabled
Ensure that DocDB Logging is enabled on your DB. When enabled it provides a variety of Amazon CloudWatch metrics that you can monitor to determine the health and performance of your Amazon DocumentDB clusters and instances.With Audit logs you can audit events that were performed in your cluster like events of successful and failed authentication attempts, dropping a collection in a database, or creating an index.You can use the profiler to log the execution time and details of operations that were performed on your cluster. Profiler is useful for monitoring the slowest operations on your cluster to help you improve individual query performance and overall cluster performance
Risk Level: Low
Cloud Entity: AWS DocDB DBCluster
CloudGuard Rule ID: D9.CFT.LOG.11
Covered by Spectral: Yes
Category: Database
GSL LOGIC
AWS_DocDB_DBCluster should have EnableCloudwatchLogsExports contain ['audit'] and EnableCloudwatchLogsExports contain [ 'profiler']
REMEDIATION
From CFT
Supply AWS::DocDB::DBCluster::EnableCloudwatchLogsExports with ["audit","profiler"]
See below example;
Resources:
myDBInstance:
Type: "AWS::DocDB::DBCluster"
Properties:
...
EnableCloudwatchLogsExports : ["audit","profiler"]
...
References
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbcluster.html#cfn-docdb-dbcluster-enablecloudwatchlogsexports
- https://docs.aws.amazon.com/documentdb/latest/developerguide/event-auditing.html#event-auditing-enabling-auditing
- https://docs.aws.amazon.com/documentdb/latest/developerguide/profiling.html#profiling.enable-profiling
AWS DocDB DBCluster
The AWS::DocDB::DBCluster Amazon DocumentDB (with MongoDB compatibility) resource describes a DBCluster. Amazon DocumentDB is a fully managed, MongoDB-compatible document database engine.
Compliance Frameworks
- AWS CloudFormation ruleset
Updated over 1 year ago