DocumentDB cluster encrypted with AWS managed key

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > DocumentDB cluster encrypted with AWS managed key

Metadata

Id: 2134641d-30a4-4b16-8ffc-2cd4c4ffd15d

Cloud Provider: aws

Framework: Terraform

Severity: Low

Category: Encryption

Learn More

Provider Reference

Description

Amazon DocumentDB clusters should be encrypted using customer-managed AWS Key Management Service (KMS) keys rather than default AWS-managed keys. When the kms_key_id attribute in the aws_docdb_cluster resource is set to an AWS-managed key such as alias/aws/rds, as in the configuration below, it limits the organization’s ability to control, rotate, and audit the usage of encryption keys, potentially weakening the security posture:

data "aws_kms_key" "test" {
  key_id = "alias/aws/rds"
}

resource "aws_docdb_cluster" "test2" {
  ...
  storage_encrypted   = true
  kms_key_id          = data.aws_kms_key.test.arn
}

If this misconfiguration is left unaddressed, sensitive data stored in the DocumentDB cluster may be at risk because AWS retains full control of the KMS key, making it difficult to restrict or monitor access and respond to compliance requirements. Using customer-managed KMS keys allows for finer-grained access control, detailed key usage logging, and key lifecycle management, helping protect data from unauthorized access and achieving regulatory compliance.

Compliant Code Examples

provider "aws" {
  region = "us-east-1"
}

data "aws_kms_key" "test2" {
  key_id = "alias/myAlias"
}

resource "aws_docdb_cluster" "test22" {
  cluster_identifier  = "my-docdb-cluster-test2"
  engine              = "docdb"
  master_username     = "foo"
  master_password     = "mustbeeightchars"
  skip_final_snapshot = true
  storage_encrypted   = true
  kms_key_id          = data.aws_kms_key.test2.arn
}

Non-Compliant Code Examples

provider "aws" {
  region = "us-east-1"
}

data "aws_kms_key" "test" {
  key_id = "alias/aws/rds"
}

resource "aws_docdb_cluster" "test2" {
  cluster_identifier  = "my-docdb-cluster-test2"
  engine              = "docdb"
  master_username     = "foo"
  master_password     = "mustbeeightchars"
  skip_final_snapshot = true
  storage_encrypted   = true
  kms_key_id          = data.aws_kms_key.test.arn
}