Profile Applicability:
Level 1

Description:
This control ensures that Amazon DocumentDB (with MongoDB compatibility) clusters have storage encryption enabled. Encryption protects data at rest — including the underlying storage, automated backups, snapshots, and cluster logs — using AWS Key Management Service (KMS). Enabling encryption helps safeguard sensitive information against unauthorized access or data breaches.

Rationale:
Encrypting Amazon DocumentDB storage ensures that sensitive data is protected even if unauthorized access to the storage medium occurs. It also ensures compliance with security frameworks such as CIS, SOC 2, ISO 27001, and HIPAA. Encryption at rest mitigates the risk of data exposure and is essential for securing databases that store confidential or regulated data.

Impact:
Positive Impact:

  • Protects data at rest using AWS KMS-managed encryption keys.

  • Enhances compliance posture for data security and privacy frameworks.

  • Ensures that backups and snapshots are also encrypted automatically.
    Negative Impact:

  • Encryption cannot be enabled on existing, unencrypted clusters; migration is required.

  • Slightly increased CPU overhead due to encryption/decryption operations.

Default Value:
By default, encryption is disabled when creating an Amazon DocumentDB cluster. It must be explicitly enabled during cluster creation.

Pre-Requisite:

  • IAM permissions required: docdb:DescribeDBClusters, docdb:CreateDBCluster, docdb:CopyDBClusterSnapshot, kms:ListKeys

  • An available AWS KMS key for encryption (aws/docdb or a customer-managed CMK).

Test Plan
Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon DocumentDB → Clusters.

  3. Select each cluster and open the Configuration tab.

  4. Under Encryption, verify that Storage encryption is set to Enabled.

  5. Confirm that the KMS Key ID is displayed (e.g., arn:aws:kms:us-east-1:123456789012:key/...).

  6. If encryption is disabled, proceed with the implementation plan.

Implementation Plan
Using AWS Console:

  1. Navigate to Amazon DocumentDB → Clusters → Create cluster.

  2. Under Storage and encryption, select Enable encryption.

  3. Choose a KMS key for encryption (default or customer-managed key).

  4. Configure other cluster settings as needed and select Create cluster.

  5. Migrate data from the unencrypted cluster to the new encrypted one using MongoDB dump/restore tools or AWS Database Migration Service (DMS).

  6. After migration and validation, delete the old unencrypted cluster.

Backout Plan:

  1. If there are any issues after migration, switch the application connections back to the original (unencrypted) cluster until the new one is validated.

  2. Restore data from the latest snapshot of the unencrypted cluster if necessary.

References: