DocumentDB cluster not encrypted
Ce produit n'est pas pris en charge par le
site Datadog que vous avez sélectionné. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Id: bc1f9009-84a0-490f-ae09-3e0ea6d74ad6
Cloud Provider: AWS
Platform: Terraform
Severity: High
Category: Encryption
Learn More
Description
This check verifies whether Amazon DocumentDB cluster storage encryption is enabled. DocumentDB clusters store sensitive data and should have storage encryption enabled to protect data at rest. When storage encryption is disabled or not configured, data stored in the cluster is vulnerable to unauthorized access if the underlying storage is compromised.
To properly secure a DocumentDB cluster, ensure the storage_encrypted attribute is explicitly set to true, as shown in the example below:
resource "aws_docdb_cluster" "docdb" {
cluster_identifier = "my-docdb-cluster"
// ... other configuration ...
storage_encrypted = true
}
Compliant Code Examples
resource "aws_docdb_cluster" "docdb" {
cluster_identifier = "my-docdb-cluster"
engine = "docdb"
master_username = "foo"
master_password = "mustbeeightchars"
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
skip_final_snapshot = true
storage_encrypted = true
}
Non-Compliant Code Examples
resource "aws_docdb_cluster" "docdb" {
cluster_identifier = "my-docdb-cluster"
engine = "docdb"
master_username = "foo"
master_password = "mustbeeightchars"
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
skip_final_snapshot = true
}
resource "aws_docdb_cluster" "docdb_2" {
cluster_identifier = "my-docdb-cluster"
engine = "docdb"
master_username = "foo"
master_password = "mustbeeightchars"
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
skip_final_snapshot = true
storage_encrypted = false
}
