Skip to content
Ask AI about this
Help improve this page

DocumentDB clusters should have encryption at rest enabled

DocumentDB clusters hold document-oriented data that frequently includes PII, session tokens, or application state. Without encryption at rest, anyone with physical or logical access to the underlying EBS volumes can read raw data. AWS encrypts using AES-256 through KMS at no additional latency cost, so there is no performance reason to leave it disabled.

Encryption at rest also covers automated backups, snapshots, and read replicas created from the cluster. Skipping it on the source cluster means every downstream copy inherits that exposure.

Retrofit consideration

DocumentDB clusters cannot have encryption enabled after creation. You must snapshot the unencrypted cluster, create a new encrypted cluster from that snapshot with storage_encrypted = true, update application connection strings, and then delete the original cluster.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_docdb_cluster.

resource "aws_docdb_cluster" "this" {
  backup_retention_period         = 7
  cluster_identifier              = "pofix-abc123"
  db_subnet_group_name            = "example-docdb-subnet-group"
  enabled_cloudwatch_logs_exports = ["audit", "profiler"]
  master_password                 = "ChangeMe123!"
  master_username                 = "dbadmin"
  skip_final_snapshot             = true

  storage_encrypted = true
}

What this control checks

The policy engine checks storage_encrypted on aws_docdb_cluster. It fails when the attribute is omitted or set to false. Set storage_encrypted = true to pass. You can optionally specify kms_key_id with a customer-managed KMS key ARN; if omitted, AWS uses the default aws/rds service key. Both the default key and a CMK pass this control, though many compliance programs prefer a CMK for key rotation and access policy control.

Common pitfalls

  • Encryption cannot be toggled post-creation

    Changing storage_encrypted from false to true destroys and recreates the cluster because it's a ForceNew attribute. For existing unencrypted clusters, plan a manual snapshot-and-restore migration rather than letting Terraform replace them in place.

  • Default KMS key limits cross-account snapshot sharing

    Use a customer-managed KMS key if cross-account snapshot sharing is part of your DR or data pipeline strategy. The default aws/rds key cannot be used to share encrypted snapshots across accounts.

  • Restored clusters inherit snapshot encryption state

    Restoration from a snapshot inherits the source encryption state. An encrypted snapshot always restores as encrypted and you can't strip that back out. Keep storage_encrypted = true explicit in Terraform regardless, for policy consistency and to prevent drift.

Audit evidence

Auditors expect Config rule evaluation results showing docdb-cluster-encrypted-at-rest as COMPLIANT for every in-scope cluster. Supporting evidence includes describe-db-clusters output with StorageEncrypted: true and KmsKeyId referencing a valid KMS key ARN. For clusters using a customer-managed key, they may also request the key policy from aws kms describe-key and rotation status from aws kms get-key-rotation-status to confirm the key is active and rotation is enabled.

Framework-specific interpretation

PCI DSS v4.0: Requirement 3.5 mandates strong cryptography for stored account data. KMS-backed encryption at rest satisfies that requirement by rendering stored data unreadable. The KMS key policy and IAM controls also address Requirement 3.6, which covers protections for key access.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: docdb_cluster_encryption_at_rest_enabled

  • AWS Config Managed Rule: DOCDB_CLUSTER_ENCRYPTED

  • Checkov Check: CKV_AWS_74

  • Powerpipe Controls: aws_compliance.control.docdb_cluster_encryption_at_rest_enabled, aws_compliance.control.docdb_cluster_instance_encryption_at_rest_enabled

  • Prowler Check: documentdb_cluster_storage_encrypted

  • AWS Security Hub Control: DocumentDB.1

  • KICS Query: bc1f9009-84a0-490f-ae09-3e0ea6d74ad6

  • Trivy Check: AWS-0021

Last reviewed: 2026-03-09