DocDB TLS is disabled
Description
TLS can be used to encrypt the connection between an application and a DocDB cluster. By default, encryption in transit is enabled for newly created clusters. It can optionally be disabled when the cluster is created, or at a later time. When enabled, secure connections using TLS are required to connect to the cluster.
Code Example
{
"aws docdb describe-db-clusters \\
--db-cluster-identifier sample-cluster \\
--query 'DBClusters[*].[DBClusterIdentifier,DBClusterParameterGroup]' ",
}Remediation
- AWS Console*
. Sign in to the AWS Management Console, and open the Amazon DocumentDB console at https://console.aws.amazon.com/docdb.
. In the left navigation pane, choose Clusters.
. In the list of clusters, select the name of your cluster.
. The resulting page shows the details of the cluster that you selected. + Scroll down to Cluster details. + At the bottom of that section, locate the parameter group's name below Cluster parameter group.
- CLI Command*
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0143 |
| Severity | MEDIUM |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_90 |