AWS DocumentDB logging is not enabled
Description
This policy ensures that Amazon DocumentDB (DocDB) clusters have logging enabled. Enabling logging helps you monitor and troubleshoot your DocDB clusters by providing visibility into database activity and operations. This policy checks whether the `EnableCloudwatchLogsExports` property includes the required log types (`profiler` and/or `audit`).
Code Example
hcl
resource "aws_docdb_cluster" "example" {
...
enabled_cloudwatch_logs_exports = ["profiler", "audit"]
...
}Remediation
Terraform
To fix this issue, ensure that the `enabled_cloudwatch_logs_exports` property in the `aws_docdb_cluster` resource includes one or both of the required log types (`profiler` and/or `audit`).
Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0138 |
| Severity | MEDIUM |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_85 |