AWS Security ChangesHomeSearch

AWS config medium security documentation change

Service: config · 2025-04-18 · Security-related medium

File: config/latest/developerguide/docdb-cluster-encrypted-in-transit.md

Summary

Clarified rule logic for TLS encryption checks and added 'excludeTlsParameters' parameter

Security assessment

Enhanced documentation for a security-focused rule (encryption in transit) and added configurability to exclude specific TLS parameters, directly related to security controls.

Diff

diff --git a/config/latest/developerguide/docdb-cluster-encrypted-in-transit.md b/config/latest/developerguide/docdb-cluster-encrypted-in-transit.md
index a944894d0..3877593c6 100644
--- a//config/latest/developerguide/docdb-cluster-encrypted-in-transit.md
+++ b//config/latest/developerguide/docdb-cluster-encrypted-in-transit.md
@@ -9 +9 @@ AWS CloudFormation template
-Checks if connections to Amazon Document DB clusters are configured to use encryption in transit. The rule is NON_COMPLIANT if the associated cluster parameter group is not 'in-sync' or if the tls cluster parameter is not set to 'enabled' or 'fips-140-3'. 
+Checks if connections to Amazon DocumentDB clusters are configured to use encryption in transit. The rule is NON_COMPLIANT if the parameter group is not "in-sync", or the TLS parameter is set to either "disabled" or a value in `excludeTlsParameters`. 
@@ -21 +21,2 @@ Checks if connections to Amazon Document DB clusters are configured to use encry
-None
+excludeTlsParameters (Optional)
+Type: CSV
@@ -23,0 +25,2 @@ None
+Comma-separated list of TLS cluster parameters for the rule to NOT check. Default value: 'disabled'.
+