AWS securityhub medium security documentation change
Summary
Added new control [DocumentDB.6] requiring Amazon DocumentDB clusters to use encryption in transit via TLS
Security assessment
The change introduces a new security control enforcing TLS encryption for DocumentDB connections, directly addressing data-in-transit protection. The documentation explicitly states this mitigates interception risks during data transmission.
Diff
diff --git a/securityhub/latest/userguide/documentdb-controls.md b/securityhub/latest/userguide/documentdb-controls.md index c67979097..45784c6e5 100644 --- a//securityhub/latest/userguide/documentdb-controls.md +++ b//securityhub/latest/userguide/documentdb-controls.md @@ -5 +5 @@ -[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled +[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit @@ -138,0 +139,22 @@ To enable deletion protection for an existing Amazon DocumentDB cluster, see [Mo +## [DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit + +**Category:** Protect > Data Protection > Encryption of data-in-transit + +**Severity:** Medium + +**Resource type:** `AWS::RDS::DBCluster` + +**AWS Config rule:** [docdb-cluster-encrypted-in-transit](https://docs.aws.amazon.com/config/latest/developerguide/docdb-cluster-encrypted-in-transit.html) + +**Schedule type:** Periodic + +**Parameters:** `excludeTlsParameters`: `enabled`, `disabled` (not customizable) + +This controls checks whether an Amazon DocumentDB cluster requires TLS for connections to the cluster. The control fails if the cluster parameter group associated with the cluster is not in sync, or the TLS cluster parameter in the group is set to `disabled`. + +You can use TLS to encrypt the connection between an application and an Amazon DocumentDB cluster. Use of TLS can help protect data from being intercepted while the data is in transit between an application and an Amazon DocumentDB cluster. Encryption in transit for an Amazon DocumentDB cluster is managed using the TLS parameter in the cluster parameter group that's associated with the cluster. When encryption in transit is enabled, secure connections using TLS are required to connect to the cluster. We recommend using the following TLS parameters: `tls1.2+`, `tls1.3+`, and `fips-140-3`. + +### Remediation + +For information about changing the TLS settings for an Amazon DocumentDB cluster, see [Encrypting data in transit](https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.ssl.html) in the _Amazon DocumentDB Developer Guide_. +