Back to All Checks
Medium DocumentDB Regional

Amazon DocumentDB clusters should be encrypted at rest

NIST 800-53ISO 27001HIPAA

Description

This control checks whether an Amazon DocumentDB cluster is encrypted at rest. The control fails if an Amazon DocumentDB cluster isn't encrypted at rest. Data at rest refers to any data that's stored in persistent, non-volatile storage for any duration. Encryption helps you protect the confidentiality of such data, reducing the risk that an unauthorized user gets access to it. Data in Amazon DocumentDB clusters should be encrypted at rest for an added layer of security. Amazon DocumentDB uses the 256-bit Advanced Encryption Standard (AES-256) to encrypt your data using encryption keys stored in AWS Key Management Service (AWS KMS).

Remediation

Enable encryption at rest for your Amazon DocumentDB clusters. You cannot enable encryption at rest for an existing cluster, so you must create a new cluster with encryption enabled.

Steps

  1. Open the Amazon DocumentDB console.
  2. Choose 'Clusters' from the navigation pane.
  3. Create a new cluster or modify an existing one.
  4. In the 'Encryption' section, select 'Enable encryption'.
  5. Choose an AWS KMS key (either AWS managed or customer managed).
  6. Complete the cluster creation or modification process.

Compliance

NIST 800-53ISO 27001HIPAA
Start Your Free Security Check