Ensure log export is enabled for AWS DocumentDB clusters

MEDIUM

Description

DocumentDB cluster logs can be exported to CloudWatch for monitoring, which can be used to maintain the health of the environment as well as audit for security. Alarms can also be set based on those logs so that administrators can be made aware when issues arise. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/documentdb/latest/developerguide/cloud_watch.html

Remediation

In AWS Console

Sign in to the AWS Console and go to the Amazon DocumentDB console.
Select Clusters in the navigation pane.
Select the cluster to modify.
Select Actions, then click Modify.
Go to Log exports and enable exporting audit or profiler logs.

In Terraform -

In the aws_docdb_cluster resource, set the enabled_cloudwatch_logs_exports field to either audit or profiler.

References:
https://docs.aws.amazon.com/documentdb/latest/developerguide/event-auditing.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports

Policy Details

Rule Reference ID: AC_AWS_0074

CSP: AWS

Remediation Available: Yes

Domain: Logging and Monitoring

Resource: aws_docdb_cluster

Resource Category: Database

Resource Type: DocDB

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF