-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocumentdb.html
More file actions
488 lines (465 loc) · 46.6 KB
/
Copy pathdocumentdb.html
File metadata and controls
488 lines (465 loc) · 46.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Amazon DocumentDB Security | AWS Security Cards</title>
<meta name="description" content="Amazon DocumentDB is a managed document database service compatible with MongoDB wire protocol. Stores structured application data accessible via NoSQL queries.">
<style>
*, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', sans-serif;
background: #0a0e1a;
color: #e2e8f0;
line-height: 1.6;
padding: 2rem;
max-width: 1200px;
margin: 0 auto;
}
a { color: #22d3ee; text-decoration: none; }
a:hover { text-decoration: underline; }
/* Card Image */
.card-image {
border-radius: 1rem;
overflow: hidden;
margin-bottom: 2rem;
border: 1px solid rgba(255,255,255,0.1);
}
.card-image img {
width: 100%;
height: auto;
display: block;
}
/* Header */
.header {
position: relative;
overflow: hidden;
border-radius: 1rem;
background: linear-gradient(135deg, #ec489915, #0a0e1a, #f43f5e15);
border: 1px solid #ec48994d;
padding: 2.5rem;
margin-bottom: 2rem;
}
.header::before {
content: '';
position: absolute;
top: 0; right: 0;
width: 24rem; height: 24rem;
background: #ec48990d;
border-radius: 50%;
filter: blur(3rem);
}
.header-content { position: relative; display: flex; align-items: flex-start; gap: 1.5rem; }
.header-icon { width: 64px; height: 64px; flex-shrink: 0; }
.header-icon img { width: 100%; height: 100%; }
.header-title { font-size: 1.875rem; font-weight: 700; color: #fff; }
.header-badge {
display: inline-block;
padding: 0.25rem 0.75rem;
background: #ec489933;
color: #ec4899;
font-size: 0.8rem;
font-weight: 600;
border-radius: 999px;
border: 1px solid #ec48994d;
margin-left: 0.75rem;
vertical-align: middle;
}
.header-desc { color: #94a3b8; max-width: 42rem; margin-top: 0.5rem; }
/* Stats */
.stats-row { display: grid; grid-template-columns: repeat(4, 1fr); gap: 1rem; margin-bottom: 2rem; }
.stat-card {
background: rgba(255,255,255,0.03);
border-radius: 0.5rem;
border: 1px solid rgba(255,255,255,0.06);
padding: 1rem;
text-align: center;
}
.stat-value { font-size: 1.5rem; font-weight: 700; }
.stat-label { font-size: 0.8rem; color: #94a3b8; }
/* Sections */
.section {
background: rgba(255,255,255,0.03);
border-radius: 0.75rem;
border: 1px solid rgba(255,255,255,0.06);
padding: 1.5rem;
margin-bottom: 1.5rem;
}
.section h2 {
font-size: 1.25rem;
font-weight: 700;
color: #fff;
margin-bottom: 1rem;
display: flex;
align-items: center;
gap: 0.5rem;
}
/* Overview */
.overview-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1.5rem; }
.overview-grid h4 { font-size: 0.9rem; font-weight: 600; margin-bottom: 0.5rem; }
.overview-grid p { font-size: 0.875rem; color: #94a3b8; margin-bottom: 0.75rem; }
.attack-note {
background: rgba(0,0,0,0.3);
border-radius: 0.5rem;
border: 1px solid rgba(255,255,255,0.06);
padding: 0.75rem;
font-size: 0.875rem;
color: #cbd5e1;
}
/* Risk Gauge */
.risk-gauge { display: flex; align-items: center; gap: 2rem; }
.risk-bar-container { flex: 1; }
.risk-bar {
height: 1rem;
background: #0f172a;
border-radius: 999px;
overflow: hidden;
}
.risk-bar-fill {
height: 100%;
border-radius: 999px;
background: linear-gradient(90deg, #eab308, #f97316, #ef4444);
}
.risk-labels { display: flex; justify-content: space-between; font-size: 0.8rem; color: #94a3b8; margin-top: 0.5rem; }
.risk-score { text-align: center; }
.risk-score-value { font-size: 2.5rem; font-weight: 700; color: #f87171; }
.risk-score-label { font-size: 0.8rem; color: #94a3b8; }
.risk-desc { margin-top: 1rem; font-size: 0.875rem; color: #94a3b8; }
/* Panels Grid */
.panels-grid { display: grid; grid-template-columns: repeat(3, 1fr); gap: 1.5rem; margin-bottom: 1.5rem; }
@media (max-width: 1024px) { .panels-grid { grid-template-columns: repeat(2, 1fr); } }
@media (max-width: 640px) { .panels-grid, .stats-row, .overview-grid { grid-template-columns: 1fr; } }
.panel {
background: rgba(255,255,255,0.03);
border-radius: 0.75rem;
border: 1px solid;
padding: 1.5rem;
}
.panel h3 { font-size: 1.1rem; font-weight: 700; margin-bottom: 1rem; display: flex; align-items: center; gap: 0.5rem; }
.panel h4 { font-size: 0.85rem; font-weight: 600; margin-bottom: 0.5rem; margin-top: 1rem; }
.panel ul { list-style: none; padding: 0; }
.panel li {
font-size: 0.85rem;
color: #cbd5e1;
padding: 0.15rem 0;
display: flex;
align-items: flex-start;
gap: 0.5rem;
}
.bullet { margin-top: 0.15rem; }
.note {
margin-top: 1rem;
padding: 0.75rem;
border-radius: 0.5rem;
font-size: 0.85rem;
}
/* Commands */
.cmd-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; }
.cmd-block { margin-top: 0.75rem; }
.cmd-title { font-size: 0.8rem; color: #94a3b8; margin-bottom: 0.25rem; }
pre {
background: rgba(0,0,0,0.5);
border-radius: 0.5rem;
padding: 0.75rem;
font-size: 0.8rem;
color: #4ade80;
overflow-x: auto;
border: 1px solid rgba(255,255,255,0.06);
white-space: pre-wrap;
word-break: break-all;
font-family: 'SF Mono', 'Fira Code', 'Cascadia Code', monospace;
}
/* Policies */
.policy-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1.5rem; }
.policy-card {
border-radius: 0.5rem;
border: 1px solid;
padding: 1rem;
}
.policy-header { display: flex; align-items: center; gap: 0.5rem; margin-bottom: 0.75rem; font-size: 0.9rem; }
.policy-card pre { margin-bottom: 0.75rem; color: #cbd5e1; }
.policy-desc { font-size: 0.8rem; color: #94a3b8; }
/* Defenses */
.defense-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; }
.defense-card {
background: rgba(255,255,255,0.03);
border-radius: 0.5rem;
border: 1px solid rgba(255,255,255,0.06);
padding: 1rem;
}
.defense-card:hover { border-color: #22d3ee4d; }
.defense-header { display: flex; align-items: flex-start; gap: 0.75rem; }
.defense-icon { font-size: 1.5rem; }
.defense-card h4 { font-size: 0.9rem; font-weight: 600; color: #fff; margin-bottom: 0.25rem; }
.defense-card p { font-size: 0.85rem; color: #94a3b8; margin-bottom: 0.5rem; }
.defense-card pre { color: #22d3ee; }
/* Footer */
.footer { text-align: center; padding: 1.5rem 0; font-size: 0.8rem; color: #64748b; }
.footer a { color: #22d3ee; }
/* Prevent ugly page-break splits */
.card-image,
.header,
.stat-card,
.stats-row,
.section,
.panel,
.cmd-block,
.policy-card,
.defense-card,
.attack-note,
.overview-grid > div,
.risk-gauge,
.note {
break-inside: avoid;
page-break-inside: avoid;
}
.section,
.panels-grid,
.card-image,
.header {
break-before: auto;
page-break-before: auto;
}
/* Keep headings with their content */
h2, h3, h4 {
break-after: avoid;
page-break-after: avoid;
}
@media print {
body { background: #0a0e1a; -webkit-print-color-adjust: exact; print-color-adjust: exact; }
.panels-grid { grid-template-columns: repeat(2, 1fr); }
.cmd-grid { grid-template-columns: 1fr; }
.policy-grid { grid-template-columns: 1fr; }
.defense-grid { grid-template-columns: 1fr; }
}
</style>
</head>
<body>
<!-- Card Image -->
<div class="card-image">
<img src="../images/documentdb-card.webp" alt="Amazon DocumentDB Security" />
</div>
<!-- Header -->
<div class="header">
<div class="header-content">
<div class="header-icon"><img src="../icons/documentdb.svg" alt="Amazon DocumentDB Security" /></div>
<div>
<div>
<span class="header-title">Amazon DocumentDB Security</span>
<span class="header-badge">DATABASE</span>
</div>
<p class="header-desc"></p>
</div>
</div>
</div>
<!-- Overview -->
<div class="section"><h2><span style="color:#ec4899;">📋</span> Service Overview</h2><div class="overview-grid">
<div><p>Amazon DocumentDB is a managed document database service compatible with the MongoDB wire protocol. It supports MongoDB 4.0, 5.0, and 8.0 compatibility modes. Clusters run exclusively inside a VPC with no public endpoint option.</p><p><strong>From an attacker's perspective</strong>, DocumentDB is valuable because:</p><ul><li><span class="bullet" style="color: #ec4899;">•</span> It stores structured application data (user records, session data, financial documents) that is directly exploitable.</li><li><span class="bullet" style="color: #ec4899;">•</span> The MongoDB wire protocol compatibility means NoSQL injection techniques that work against MongoDB generally work against DocumentDB (except those requiring server-side JavaScript execution, such as <code>$where</code>, which DocumentDB does not support).</li><li><span class="bullet" style="color: #ec4899;">•</span> Snapshots can be shared publicly or cross-account, creating data exfiltration paths independent of network access.</li><li><span class="bullet" style="color: #ec4899;">•</span> TLS and audit logging are configurable parameters that can be disabled by anyone with <code>rds:ModifyDBClusterParameterGroup</code> permissions (TLS change requires instance reboot and is visible in CloudTrail).</li><li><span class="bullet" style="color: #ec4899;">•</span> Encryption at rest cannot be enabled after cluster creation — if a cluster was created unencrypted, that decision is permanent.</li></ul><p>---</p></div></div></div>
<!-- Risk Assessment -->
<div class="section">
<h2>Security Risk Assessment</h2>
<p class="risk-desc">---</p>
<table style="width:100%;border-collapse:collapse;margin:0.5rem 0;font-size:0.9rem;"><tr><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #ec489955;color:#ec4899;">Factor</th><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #ec489955;color:#ec4899;">Rating</th><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #ec489955;color:#ec4899;">Detail</th></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Data Sensitivity</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>High</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Stores application-level structured data: PII, credentials, financial records</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Blast Radius</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>High</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Cluster-wide — all databases and collections in a cluster share the same auth, TLS, and encryption settings</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Lateral Movement</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Medium</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Master credentials may be reused; snapshots enable data movement to attacker-controlled accounts</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Detection Difficulty</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Medium</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Audit logging disabled by default; data-plane operations (queries) are not in CloudTrail</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Recovery Complexity</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Medium</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Point-in-time restore available (up to 35 days), but encryption settings are immutable</td></tr></table>
</div>
<!-- Main Panels -->
<div class="panels-grid">
<div class="panel" style="border-color: #f8717133;">
<h3 style="color: #f87171;">⚔️ Attack Vectors</h3><h4 style="color: #f87171;">Initial Access</h4><table style="width:100%;border-collapse:collapse;margin:0.5rem 0;font-size:0.9rem;"><tr><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #f8717155;color:#f87171;">#</th><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #f8717155;color:#f87171;">Vector</th><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #f8717155;color:#f87171;">Description</th></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">1</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>NoSQL Injection via Application</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Applications using MongoDB drivers against DocumentDB are vulnerable to operator injection (<code>$gt</code>, <code>$ne</code>, <code>$regex</code>) if user input is not sanitized. Authentication bypass: <code>{"username": {"$ne": ""}, "password": {"$ne": ""}}</code> returns all documents. Note: <code>$where</code> is not supported by DocumentDB (no server-side JavaScript execution).</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">2</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Credential Theft from Secrets Manager / Environment</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">DocumentDB master credentials stored in environment variables, application configs, or Secrets Manager with overly broad access policies.</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">3</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Snapshot Restore in Attacker Account</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">If a manual snapshot is shared with <code>"all"</code> (public) or a specific attacker account ID, the attacker can restore the full database in their own account and read all data without network access to the original cluster.</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">4</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>VPC Peering / Transit Gateway Pivot</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">DocumentDB has no public endpoint, but an attacker who compromises a peered VPC or Transit Gateway attachment gains network-level access to the cluster endpoint.</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">5</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Parameter Group Tampering</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">An attacker with <code>rds:ModifyDBClusterParameterGroup</code> can set <code>tls=disabled</code> and <code>audit_logs=disabled</code>, downgrading security and reducing visibility after an instance reboot.</td></tr></table><h4 style="color: #f87171;">Persistence & Privilege Escalation</h4><table style="width:100%;border-collapse:collapse;margin:0.5rem 0;font-size:0.9rem;"><tr><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #f8717155;color:#f87171;">#</th><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #f8717155;color:#f87171;">Vector</th><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #f8717155;color:#f87171;">Description</th></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">1</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Database User Creation</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">An attacker with master credentials can create new database users via the MongoDB shell (<code>db.createUser()</code>). These users persist independently of IAM and survive credential rotation of the master user.</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">2</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Snapshot Exfiltration for Offline Access</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>create-db-cluster-snapshot</code> + <code>modify-db-cluster-snapshot-attribute</code> to share snapshot with attacker account. Data access persists even after the original cluster is secured.</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">3</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Cross-Region Snapshot Copy</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>copy-db-cluster-snapshot</code> with <code>--kms-key-id</code> in a different region creates a durable copy of data outside the victim's operational region.</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">4</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Event Subscription for Reconnaissance</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>create-event-subscription</code> with an attacker-controlled SNS topic receives notifications about cluster modifications, failovers, and maintenance — continuous intel on the target environment.</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">5</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Disable Deletion Protection</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>modify-db-cluster --no-deletion-protection</code> removes the safety net, enabling future destructive actions including cluster deletion (ransomware path).</td></tr></table><p>---</p></div>
<div class="panel" style="border-color: #fb923c33;">
<h3 style="color: #fb923c;">⚠️ Misconfigurations</h3><h4 style="color: #fb923c;">Critical</h4><table style="width:100%;border-collapse:collapse;margin:0.5rem 0;font-size:0.9rem;"><tr><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #fb923c55;color:#fb923c;">#</th><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #fb923c55;color:#fb923c;">Misconfiguration</th><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #fb923c55;color:#fb923c;">Impact</th></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">1</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>TLS Disabled (<code>tls=disabled</code>)</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">All data between application and cluster transmitted in cleartext. Credentials visible to anyone with network access. Security Hub control: DocumentDB.6</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">2</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Audit Logging Disabled (default)</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">No record of DDL or DML operations. Authentication failures, data access, and schema changes are invisible. Security Hub control: DocumentDB.4</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">3</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Public Snapshots (<code>restore</code> attribute set to <code>all</code>)</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Any AWS account worldwide can restore the snapshot and read all data. Security Hub control: DocumentDB.3. AWS Config rule: <code>docdb-cluster-snapshot-public-prohibited</code></td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">4</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Encryption at Rest Not Enabled</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Data on disk, automated backups, snapshots, and read replicas are all unencrypted. Cannot be retroactively enabled — cluster must be recreated. Security Hub control: DocumentDB.1</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">5</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Deletion Protection Disabled</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Cluster can be deleted by any principal with <code>rds:DeleteDBCluster</code>. Security Hub control: DocumentDB.5</td></tr></table><h4 style="color: #fb923c;">High</h4><table style="width:100%;border-collapse:collapse;margin:0.5rem 0;font-size:0.9rem;"><tr><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #fb923c55;color:#fb923c;">#</th><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #fb923c55;color:#fb923c;">Misconfiguration</th><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #fb923c55;color:#fb923c;">Impact</th></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">1</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Default KMS Key Used for Encryption</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">The AWS managed key (<code>aws/rds</code>) cannot be shared cross-account and cannot have custom key policies. Limits the ability to control access to encrypted snapshots.</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">2</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Backup Retention Below 7 Days</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Reduces the window for point-in-time recovery after a breach. Security Hub control: DocumentDB.2 (minimum 7 days recommended)</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">3</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Overly Permissive Security Groups</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Security group allowing <code>0.0.0.0/0</code> on port 27017 within the VPC. While DocumentDB has no public endpoint, this allows any resource in the VPC (including compromised instances) to connect.</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">4</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>No Profiler Enabled (<code>profiler=disabled</code>)</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Slow or suspicious queries (large collection scans, regex-based exfiltration) go undetected. Default threshold is 100ms when enabled.</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">5</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Master Credentials Not Rotated</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Static master username/password with no Secrets Manager rotation configured. Credentials may be embedded in application code or CI/CD pipelines.</td></tr></table><p>---</p></div>
<div class="panel" style="border-color: #22d3ee33;">
<h3 style="color: #22d3ee;">🔍 Enumeration Commands</h3><p>All commands use the <code>aws docdb</code> CLI namespace. Verified against AWS CLI v2.</p><h4 style="color: #22d3ee;">List All DocumentDB Clusters</h4><pre><code>aws docdb describe-db-clusters \
--filter Name=engine,Values=docdb</code></pre><h4 style="color: #22d3ee;">List All DocumentDB Instances</h4><pre><code>aws docdb describe-db-instances</code></pre><h4 style="color: #22d3ee;">Check TLS and Parameter Configuration</h4><pre><code>aws docdb describe-db-cluster-parameters \
--db-cluster-parameter-group-name <parameter-group-name></code></pre><h4 style="color: #22d3ee;">List Cluster Snapshots</h4><pre><code>aws docdb describe-db-cluster-snapshots</code></pre><h4 style="color: #22d3ee;">Check Snapshot Sharing Attributes (Public Access)</h4><pre><code>aws docdb describe-db-cluster-snapshot-attributes \
--db-cluster-snapshot-identifier <snapshot-id></code></pre><h4 style="color: #22d3ee;">List Subnet Groups</h4><pre><code>aws docdb describe-db-subnet-groups</code></pre><h4 style="color: #22d3ee;">List Tags on a Cluster</h4><pre><code>aws docdb list-tags-for-resource \
--resource-name arn:aws:rds:<region>:<account-id>:cluster:<cluster-id></code></pre><h4 style="color: #22d3ee;">List Events for a Cluster</h4><pre><code>aws docdb describe-events \
--source-type db-cluster \
--source-identifier <cluster-id></code></pre><h4 style="color: #22d3ee;">List Parameter Groups</h4><pre><code>aws docdb describe-db-cluster-parameter-groups</code></pre><h4 style="color: #22d3ee;">Check Engine Versions</h4><pre><code>aws docdb describe-db-engine-versions \
--engine docdb</code></pre><h4 style="color: #22d3ee;">List Pending Maintenance Actions</h4><pre><code>aws docdb describe-pending-maintenance-actions</code></pre><p>---</p></div>
<div class="panel" style="border-color: #c084fc33;">
<h3 style="color: #c084fc;">📤 Data Exfiltration Paths</h3><table style="width:100%;border-collapse:collapse;margin:0.5rem 0;font-size:0.9rem;"><tr><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #c084fc55;color:#c084fc;">#</th><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #c084fc55;color:#c084fc;">Path</th><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #c084fc55;color:#c084fc;">Method</th></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">1</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Snapshot Share to External Account</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>aws docdb modify-db-cluster-snapshot-attribute --db-cluster-snapshot-identifier <snap> --attribute-name restore --values-to-add <attacker-account-id></code> — grants restore access to a specific account.</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">2</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Snapshot Made Public</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>aws docdb modify-db-cluster-snapshot-attribute --db-cluster-snapshot-identifier <snap> --attribute-name restore --values-to-add all</code> — any AWS account can restore and read the data.</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">3</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Cross-Region Snapshot Copy</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>aws docdb copy-db-cluster-snapshot --source-db-cluster-snapshot-identifier <snap-arn> --target-db-cluster-snapshot-identifier <new-name> --kms-key-id <attacker-key></code> — moves data to a region the victim may not monitor.</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">4</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Restore Snapshot to New Cluster</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>aws docdb restore-db-cluster-from-snapshot --db-cluster-identifier <new-cluster> --snapshot-identifier <snap> --engine docdb</code> — spins up a full copy of the database. Attacker connects with the original master credentials.</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">5</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><strong>Direct Query via MongoDB Driver</strong></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">With network access and valid credentials, an attacker uses <code>mongosh</code> or any MongoDB driver to connect on port 27017 and run <code>db.collection.find()</code> to extract documents directly.</td></tr></table><p>---</p></div>
<div class="panel" style="border-color: #4ade8033;">
<h3 style="color: #4ade80;">🛡️ Detection — CloudTrail Events to Monitor</h3><table style="width:100%;border-collapse:collapse;margin:0.5rem 0;font-size:0.9rem;"><tr><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #4ade8055;color:#4ade80;">Event</th><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #4ade8055;color:#4ade80;">Significance</th></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>CreateDBClusterSnapshot</code></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Manual snapshot creation — potential precursor to exfiltration</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>ModifyDBClusterSnapshotAttribute</code></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Snapshot sharing changed — check if shared publicly or to unknown accounts</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>CopyDBClusterSnapshot</code></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Snapshot copied — check target region and KMS key</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>RestoreDBClusterFromSnapshot</code></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">New cluster from snapshot — verify this is authorized</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>ModifyDBCluster</code></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Check for deletion protection disabled, backup retention reduced</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>ModifyDBClusterParameterGroup</code></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Check for <code>tls=disabled</code> or <code>audit_logs=disabled</code></td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>DeleteDBCluster</code></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Cluster deletion — verify deletion protection was properly enforced</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>CreateDBInstance</code> (with docdb engine)</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">New instance added — could indicate unauthorized scaling or access</td></tr></table><p>---</p></div>
<div class="panel" style="border-color: #ec489933;">
<h3 style="color: #ec4899;">Key DocumentDB Cluster Parameters Reference</h3><table style="width:100%;border-collapse:collapse;margin:0.5rem 0;font-size:0.9rem;"><tr><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #ec489955;color:#ec4899;">Parameter</th><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #ec489955;color:#ec4899;">Default</th><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #ec489955;color:#ec4899;">Allowed Values</th><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #ec489955;color:#ec4899;">Type</th></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>tls</code></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">enabled</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">disabled, enabled, fips-140-3, tls1.2+, tls1.3+</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Static</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>audit_logs</code></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">disabled</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">enabled, disabled</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Dynamic</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>profiler</code></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">disabled</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">enabled, disabled</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Dynamic</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>profiler_threshold_ms</code></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">100</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">50 - 2147483646</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Dynamic</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>profiler_sampling_rate</code></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">1.0</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">0.0 - 1.0</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Dynamic</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>change_stream_log_retention_duration</code></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">10800</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">3600 - 604800</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Dynamic</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);"><code>ttl_monitor</code></td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">enabled</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">enabled, disabled</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Dynamic</td></tr></table><p><strong>Static parameters</strong> require a manual reboot of every instance in the cluster to take effect.</p><p>---</p></div>
<div class="panel" style="border-color: #ec489933;">
<h3 style="color: #ec4899;">Security Hub Controls Summary</h3><table style="width:100%;border-collapse:collapse;margin:0.5rem 0;font-size:0.9rem;"><tr><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #ec489955;color:#ec4899;">Control</th><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #ec489955;color:#ec4899;">Check</th><th style="text-align:left;padding:0.5rem 0.75rem;border-bottom:2px solid #ec489955;color:#ec4899;">Severity</th></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">DocumentDB.1</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Encryption at rest enabled</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Medium</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">DocumentDB.2</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Backup retention >= 7 days</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Medium</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">DocumentDB.3</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Manual snapshots not public</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Critical</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">DocumentDB.4</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Audit logs exported to CloudWatch</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Medium</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">DocumentDB.5</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Deletion protection enabled</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Medium</td></tr><tr><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">DocumentDB.6</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">TLS encryption in transit enforced</td><td style="padding:0.5rem 0.75rem;border-bottom:1px solid rgba(255,255,255,0.08);">Medium</td></tr></table></div></div>
<!-- Policies -->
<div class="section"><h2><span style="color:#4ade80;">📜</span> Policy Examples</h2><div class="policy-grid">
<div class="policy-card" style="border-color: #ef444433; background: rgba(239,68,68,0.05);">
<div class="policy-header">
<span style="color: #f87171; font-size: 1.2em;">✗</span>
<span style="color: #f87171; font-weight: 600;">Bad Policy — Overly Permissive</span>
</div>
<pre><code>{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "rds:*",
"Resource": "*"
}
]
}</code></pre>
<p class="policy-desc"><strong>Why this is dangerous:</strong> DocumentDB uses the <code>rds:</code> IAM action namespace. Granting <code>rds:*</code> gives full control over all RDS and DocumentDB resources — including creating snapshots, sharing them publicly, disabling deletion protection, and deleting clusters.</p>
</div><div class="policy-card" style="border-color: #22c55e33; background: rgba(34,197,94,0.05);">
<div class="policy-header">
<span style="color: #4ade80; font-size: 1.2em;">✓</span>
<span style="color: #4ade80; font-weight: 600;">Good Policy — Least Privilege Read-Only</span>
</div>
<pre><code>{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:DescribeDBClusterParameters",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeDBSubnetGroups",
"rds:ListTagsForResource"
],
"Resource": "arn:aws:rds:*:123456789012:cluster:my-docdb-*"
}
]
}</code></pre>
<p class="policy-desc"></p>
</div><div class="policy-card" style="border-color: #ef444433; background: rgba(239,68,68,0.05);">
<div class="policy-header">
<span style="color: #f87171; font-size: 1.2em;">✗</span>
<span style="color: #f87171; font-weight: 600;">Deny Dangerous Actions — Guardrail Policy</span>
</div>
<pre><code>{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyDocDBSnapshotPublicSharing",
"Effect": "Deny",
"Action": "rds:ModifyDBClusterSnapshotAttribute",
"Resource": "arn:aws:rds:*:*:cluster-snapshot:*"
}
]
}</code></pre>
<p class="policy-desc"></p>
</div></div></div>
<!-- Defenses -->
<div class="section"><h2><span style="color:#4ade80;">🛡️</span> Defense Recommendations</h2><div class="defense-grid">
<div class="defense-card">
<div class="defense-header">
<span class="defense-icon"></span>
<div>
<h4>Enforce TLS with Minimum Version</h4>
<p>Use a custom parameter group with <code>tls=tls1.2+</code> or <code>tls=tls1.3+</code>. Never use <code>tls=enabled</code> (allows TLS 1.0). Reboot all instances after changing this static parameter.</p>
<pre><code>aws docdb modify-db-cluster-parameter-group \
--db-cluster-parameter-group-name my-docdb-params \
--parameters "ParameterName=tls,ParameterValue=tls1.2+,ApplyMethod=pending-reboot"</code></pre>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon"></span>
<div>
<h4>Enable Full Audit Logging</h4>
<p>Enable DDL and DML auditing and export to CloudWatch Logs:</p>
<pre><code>aws docdb modify-db-cluster-parameter-group \
--db-cluster-parameter-group-name my-docdb-params \
--parameters "ParameterName=audit_logs,ParameterValue=enabled,ApplyMethod=immediate"</code></pre>
<pre><code>aws docdb modify-db-cluster \
--db-cluster-identifier my-cluster \
--cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit","profiler"]}'</code></pre>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon"></span>
<div>
<h4>Enable Profiler for Slow Query Detection</h4>
<p></p>
<pre><code>aws docdb modify-db-cluster-parameter-group \
--db-cluster-parameter-group-name my-docdb-params \
--parameters "ParameterName=profiler,ParameterValue=enabled,ApplyMethod=immediate" \
"ParameterName=profiler_threshold_ms,ParameterValue=100,ApplyMethod=immediate"</code></pre>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon"></span>
<div>
<h4>Enable Deletion Protection</h4>
<p></p>
<pre><code>aws docdb modify-db-cluster \
--db-cluster-identifier my-cluster \
--deletion-protection</code></pre>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon"></span>
<div>
<h4>Block Public Snapshot Sharing via SCP</h4>
<p>Apply this Service Control Policy at the AWS Organizations level:</p>
<pre><code>{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPublicDocDBSnapshots",
"Effect": "Deny",
"Action": "rds:ModifyDBClusterSnapshotAttribute",
"Resource": "*"
}
]
}</code></pre>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon"></span>
<div>
<h4>Use Customer Managed KMS Keys</h4>
<p>Create clusters with a customer managed KMS key (not the default <code>aws/rds</code> key) to enable custom key policies and cross-account access control for encrypted snapshots.</p>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon"></span>
<div>
<h4>Rotate Master Credentials via Secrets Manager</h4>
<p>Configure Secrets Manager automatic rotation for the DocumentDB master password. Do not embed credentials in application code.</p>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon"></span>
<div>
<h4>Restrict Security Group Access</h4>
<p>Limit inbound port 27017 to specific application security groups only. Do not use CIDR-based rules within the VPC.</p>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon"></span>
<div>
<h4>Set Backup Retention to at Least 7 Days</h4>
<p></p>
<pre><code>aws docdb modify-db-cluster \
--db-cluster-identifier my-cluster \
--backup-retention-period 7</code></pre>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon"></span>
<div>
<h4>Deploy AWS Config Rules</h4>
<p>Enable the following AWS Config managed rules: - <code>docdb-cluster-audit-logging-enabled</code> - <code>docdb-cluster-snapshot-public-prohibited</code> - <code>docdb-cluster-encryption-enabled</code> (custom rule or Security Hub control DocumentDB.1)</p>
</div>
</div>
</div></div></div>
<div class="footer">
<p><strong>AWS Security Card — Amazon DocumentDB | Toc Consulting | tocconsulting.fr</strong></p>
<p>Always obtain proper authorization before testing</p>
</div>
</body>
</html>