CloudWiki
Rules
Critical

Ensure DocumentDB database instances are not accessible via Internet (Network and API)

Security & Compliance
Description

Ensuring that your DocumentDB database instances are not accessible via the internet is an essential step in protecting your data from unauthorized access. This involves configuring the network access controls to restrict access to the DocumentDB instances only from authorized sources, such as specific IP addresses or Amazon VPCs.To implement this, you can use various security features provided by Amazon DocumentDB, including VPC endpoints, security groups, and network ACLs. You can also use IAM policies to control access to DocumentDB APIs and resources.By implementing these security measures, you can help to ensure that your DocumentDB database instances remain secure and that your data is protected from potential security threats. It is essential to regularly review and update your security policies and configurations to ensure that your DocumentDB instances remain secure over time.‍

Remediation

Here are some general remediation steps that you can follow to ensure that your DocumentDB database instances are not accessible via the internet:

  1. Configure VPC endpoints for DocumentDB: VPC endpoints enable you to privately access DocumentDB within your VPC, without requiring an internet gateway or NAT instance. You can create VPC endpoints using the AWS Management Console, AWS CLI, or AWS SDKs.
  2. Update Security Groups: Review the security groups attached to your DocumentDB instances, and ensure that they are only allowing access from authorized sources, such as specific IP addresses or VPCs. Remove any unnecessary inbound rules that could allow public access to your instances.
  3. Configure Network ACLs: Network ACLs act as a firewall for subnets in your VPC. You can use network ACLs to restrict access to your DocumentDB instances based on IP addresses and ports. Ensure that your network ACLs are configured correctly to restrict access to DocumentDB from unauthorized sources.
  4. Use IAM Policies: IAM policies can be used to control access to DocumentDB APIs and resources. You can create IAM policies to grant or deny permissions for specific actions on DocumentDB resources based on various conditions, including IP addresses, VPCs, and users.
  5. Regularly review and update your security configurations: It is important to regularly review and update your security configurations to ensure that your DocumentDB instances remain secure over time. Monitor your VPC flow logs and DocumentDB audit logs to identify any potential security threats, and take necessary action to mitigate them.

By following these steps, you can help ensure that your DocumentDB instances are not accessible via the internet, and that your data is protected from potential security threats.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.