DocumentDB encryption should use Customer Managed Keys
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | documentdb |
| Provider | AWS |
Description#
The DocumentDB cluster is encrypted using AWS-managed keys instead of customer-managed KMS keys, limiting control over key management operations such as rotation and access policies. This configuration reduces the ability to customize encryption settings to meet specific security or compliance requirements.
Impact#
Relying on AWS-managed keys restricts fine-grained control over encryption, potentially preventing compliance with organizational policies or regulatory standards. If the encryption key is compromised or needs to be rotated, the lack of direct management increases the risk of unauthorized data access or data exposure.
Resolution#
Enable encryption using customer managed keys