AWS-DocumentDB-clusters-audit-logs-enable-for-log-export

Severity: Medium

Description: This control ensures that Audit Log type under Log Exports is published to the AWS CloudWatch for the DocumentDB DB Cluster.  These logs can play a vital role in debugging, troubleshooting, detecting malicious activities, and security audits. The "Log exports" option for DocumentDB Cluster publishes the Audit logs to CloudWatch for further processing and storage. Appropriate logs types should be published to be able to find the source in case of any security incident.

Remediation Steps:

Perform following to update DocumentDB master user name:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to DocumentDB console.

3. Click on the Database Cluster to be modified, click Modify.

4. Under the Log exports select audit log type.

5. Click on the Continue button

6. Under Scheduling of modifications option select Apply Immediately.

7. Click on Modify Cluster button..

Important:

•  This control does not apply to AWS GovCloud.

• Logs from China (Ningxia) region cannot be published to CloudWatch.

Reference:

• https://docs.aws.amazon.com/documentdb/latest/developerguide/event-auditing.html