Ensure DocDB TLS is not disabled

TLS can be used to encrypt the connection between an application and a DocDB cluster. By default, encryption in transit is enabled for newly created clusters. It can optionally be disabled when the cluster is created, or at a later time. When enabled, secure connections using TLS are required to connect to the cluster.

Risk Level: High
Cloud Entity: AWS DocDB DBClusterParameterGroup
CloudGuard Rule ID: D9.CFT.NET.28
Covered by Spectral: No
Category: Database


AWS_DocDB_DBClusterParameterGroup should have Parameters.tls='enabled'


From CFT

Name: "sampleParameterGroup"
tls: "enabled"


  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbclusterparametergroup.html#cfn-docdb-dbclusterparametergroup-parameters

AWS DocDB DBClusterParameterGroup

The AWS::DocDB::DBClusterParameterGroup Amazon DocumentDB (with MongoDB compatibility) resource describes a DBClusterParameterGroup. Parameters in a cluster parameter group apply to all of the instances in a cluster. A cluster parameter group is initially created with the default parameters for the database engine used by instances in the cluster. To provide custom values for any of the parameters, you must modify the group after you create it. After you create a DB cluster parameter group, you must associate it with your cluster. For the new cluster parameter group and associated settings to take effect, you must then reboot the DB instances in the cluster without failover.

Compliance Frameworks

  • AWS CloudFormation ruleset