--- title: DocumentDB cluster encrypted with AWS managed key description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > DocumentDB cluster encrypted with AWS managed key --- # DocumentDB cluster encrypted with AWS managed key {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `2134641d-30a4-4b16-8ffc-2cd4c4ffd15d` **Cloud Provider:** AWS **Platform:** Terraform **Severity:** Low **Category:** Encryption #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#kms_key_id) ### Description{% #description %} Amazon DocumentDB clusters should be encrypted using customer-managed AWS Key Management Service (KMS) keys rather than default AWS-managed keys. When the `kms_key_id` attribute in the `aws_docdb_cluster` resource is set to an AWS-managed key such as `alias/aws/rds`, as in the configuration below, it limits the organization's ability to control, rotate, and audit the usage of encryption keys, potentially weakening the security posture: ``` data "aws_kms_key" "test" { key_id = "alias/aws/rds" } resource "aws_docdb_cluster" "test2" { ... storage_encrypted = true kms_key_id = data.aws_kms_key.test.arn } ``` If this misconfiguration is left unaddressed, sensitive data stored in the DocumentDB cluster may be at risk because AWS retains full control of the KMS key, making it difficult to restrict or monitor access and respond to compliance requirements. Using customer-managed KMS keys allows for finer-grained access control, detailed key usage logging, and key lifecycle management, helping protect data from unauthorized access and achieving regulatory compliance. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform provider "aws" { region = "us-east-1" } data "aws_kms_key" "test2" { key_id = "alias/myAlias" } resource "aws_docdb_cluster" "test22" { cluster_identifier = "my-docdb-cluster-test2" engine = "docdb" master_username = "foo" master_password = "mustbeeightchars" skip_final_snapshot = true storage_encrypted = true kms_key_id = data.aws_kms_key.test2.arn } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform provider "aws" { region = "us-east-1" } data "aws_kms_key" "test" { key_id = "alias/aws/rds" } resource "aws_docdb_cluster" "test2" { cluster_identifier = "my-docdb-cluster-test2" engine = "docdb" master_username = "foo" master_password = "mustbeeightchars" skip_final_snapshot = true storage_encrypted = true kms_key_id = data.aws_kms_key.test.arn } ```