Back to All Checks
Medium DocumentDB Regional

Amazon DocumentDB clusters should be encrypted in transit

FSBP

Description

This control checks whether an Amazon DocumentDB cluster requires TLS for connections to the cluster. The control fails if the cluster parameter group associated with the cluster is not in sync, or the TLS cluster parameter is set to disabled or enabled. You can use TLS to encrypt the connection between an application and an Amazon DocumentDB cluster. Use of TLS can help protect data from being intercepted while the data is in transit between an application and an Amazon DocumentDB cluster. Encryption in transit for an Amazon DocumentDB cluster is managed using the TLS parameter in the cluster parameter group that's associated with the cluster. When encryption in transit is enabled, secure connections using TLS are required to connect to the cluster. We recommend using the following TLS parameters: tls1.2+, tls1.3+, and fips-140-3.

Remediation

Configure your Amazon DocumentDB cluster to use TLS encryption in transit by setting the TLS parameter in the cluster parameter group.

Steps

  1. Open the Amazon DocumentDB console.
  2. Choose 'Parameter groups' from the navigation pane.
  3. Select the cluster parameter group associated with your cluster.
  4. Choose 'Edit parameters'.
  5. Find the 'tls' parameter and set it to 'tls1.2+', 'tls1.3+', or 'fips-140-3'.
  6. Choose 'Save changes' and apply the changes to your cluster.

Compliance

FSBP
Start Your Free Security Check