Ensure KMS customer managed keys are used for encryption of AWS DocumentDB Clusters

Encryption at rest can help protect data integrity and can be enabled or disabled when the cluster is provisioned. It is recommended to enable this setting when launching a DocumentDB cluster. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/documentdb/latest/developerguide/security.data-protection.html

In AWS Console -

1. Sign in to AWS Console and go to DocumentDB dashboard.
2. Select Clusters in the navigation pane.
3. Select the AWS DocumentDB cluster to examine,and view the Cluster identifier column.
4. Verify the 'Encryption at-rest' configuration value to check if it is set to 'Yes' and check if KMS Key attribute has a valid KMS key ARN.

In Terraform -

1. In the aws_docdb_cluster resource, set the kms_key_id field to a valid KMS key ARN.
2. Ensure that the storage_encrypted field is set to true.

References:
https://docs.aws.amazon.com/documentdb/latest/developerguide/encryption-at-rest.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#kms_key_id