Critical

Ensure DocumentDB database instances have storage encryption enabled

Security & Compliance
Description

Ensuring that your DocumentDB database instances have storage encryption enabled is a critical step in protecting your data at rest. DocumentDB uses AWS Key Management Service (KMS) to provide encryption for your data.

Remediation

To ensure that storage encryption is enabled for your DocumentDB instances, you can follow these steps:

1. Enable Encryption: When creating a new DocumentDB instance, ensure that the "Enable encryption" option is selected. This will encrypt all data at rest, including backups and snapshots.

2. Verify Encryption: You can verify that encryption is enabled by checking the "Encryption at rest" attribute in the AWS Management Console or by using the AWS CLI or SDKs.

3. Use KMS: DocumentDB uses KMS to provide encryption for your data. Ensure that your KMS key policies and permissions are correctly configured to allow DocumentDB to use the KMS key.

4. Regularly review and update your encryption configurations: It is essential to regularly review and update your encryption configurations to ensure that your data remains secure over time.

By following these steps, you can help ensure that your DocumentDB instances have storage encryption enabled, and that your data is protected from potential security threats.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.