Skip to content
Ask AI about this
Help improve this page

DocumentDB instance logging should be enabled

DocumentDB clusters generate audit and profiler logs, but these logs are only useful if they leave the cluster and land in CloudWatch Logs where they can be searched, alarmed on, and retained independently. Without enabling enabled_cloudwatch_logs_exports, logs exist only ephemerally within the database engine and are lost during instance restarts or cluster deletions.

Audit logs capture authentication attempts, DDL operations, and authorization failures. Profiler logs record query execution details including slow queries. Both are needed for investigating unauthorized access, diagnosing performance issues, and satisfying compliance requirements that mandate centralized, tamper-resistant log storage.

Retrofit consideration

Enabling CloudWatch Logs exports on an existing cluster triggers a modification that may cause a brief availability impact at the next maintenance window, or immediately if you apply it now. The cluster parameter group also needs audit_logs = "enabled" or the export target will exist but collect nothing.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_docdb_cluster.

resource "aws_docdb_cluster" "this" {
  backup_retention_period         = 7
  cluster_identifier              = "pofix-abc123"
  db_subnet_group_name            = "example-docdb-subnet-group"
  enabled_cloudwatch_logs_exports = ["audit", "profiler"]
  master_password                 = "ChangeMe123!"
  master_username                 = "dbadmin"
  skip_final_snapshot             = true
}

What this control checks

This control validates that an aws_docdb_cluster resource includes the enabled_cloudwatch_logs_exports argument with at least one valid log type. Accepted values are "audit" and "profiler". Omitting the argument entirely, or setting it to an empty list, fails the control.

To pass, configure the cluster with:

enabled_cloudwatch_logs_exports = ["audit", "profiler"]

Enabling the export alone is not sufficient for audit logs to flow. The associated aws_docdb_cluster_parameter_group must also set audit_logs to "enabled". Without that parameter group change, the export target exists but receives no data. Profiler logs require the profiler parameter set to "enabled" and optionally profiler_threshold_ms to control which queries are captured.

Common pitfalls

  • Audit logs require parameter group enablement

    The enabled_cloudwatch_logs_exports = ["audit"] setting on aws_docdb_cluster only tells DocumentDB where to send logs. Whether logs actually flow depends on the cluster parameter group: you need audit_logs = "enabled" in an aws_docdb_cluster_parameter_group resource. Without it, the CloudWatch log group gets created but stays empty, giving a false sense of compliance.

  • Profiler threshold defaults may suppress output

    The profiler_threshold_ms parameter defaults to 100ms. Queries faster than that threshold are not logged even when profiler is enabled. If you need comprehensive query logging for compliance, set this value lower (e.g., 0 to capture all operations), but account for the performance and cost implications before doing so in production.

  • CloudWatch Logs costs can grow quickly

    High-throughput DocumentDB clusters with both audit and profiler logging enabled at low thresholds can generate gigabytes of log data daily. CloudWatch Logs ingestion and storage pricing varies by region and usage tier. Set retention periods on the /aws/docdb/ log groups explicitly using aws_cloudwatch_log_group resources; leaving them at the default (never expire) will compound costs over time.

  • Instance-level vs cluster-level confusion

    Log exports are configured on aws_docdb_cluster, not on aws_docdb_cluster_instance. The control name references instance logging, but the Terraform configuration lives at the cluster level. Adding enabled_cloudwatch_logs_exports to an instance resource will produce a Terraform error.

Audit evidence

AWS Config rule evaluation results showing DocumentDB clusters as COMPLIANT confirm that enabled_cloudwatch_logs_exports includes the expected log types. Console screenshots of the DocumentDB cluster configuration page with the "Log exports" section showing audit and profiler logs checked serve as supplementary documentation.

CloudWatch Logs log groups named /aws/docdb/<cluster-name>/audit and /aws/docdb/<cluster-name>/profiler should exist and contain recent entries. CloudTrail events for ModifyDBCluster can show when logging was enabled and by whom. Retention policies on those log groups should be documented, with the configured duration matching the retention requirement for your applicable framework.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: docdb_cluster_instance_logging_enabled

  • AWS Config Managed Rule: DOCDB_CLUSTER_AUDIT_LOGGING_ENABLED

  • Checkov Check: CKV_AWS_85

  • Powerpipe Control: aws_compliance.control.docdb_cluster_instance_logging_enabled

  • Prowler Check: documentdb_cluster_cloudwatch_log_export

  • KICS Query: 56f6a008-1b14-4af4-b9b2-ab7cf7e27641

  • Trivy Check: AWS-0020

Last reviewed: 2026-03-09